Interfederation

[Tom Scavo <>]

On Mon, Feb 25, 2013 at 7:49 AM, Scott Koranda 
<>
 wrote:
>>
>> It's not clear what value InCommon Operations can add to a custom
>> metadata aggregate for LIGO.
>
> This exercise is not intended to create anything custom for
> LIGO.

Every InCommon entity that wants to interfederate needs a custom
aggregate (in effect).

> If I was only interested in furthering LIGO's federation
> I would just join the UK federation and be done with it (along
> with about 10 other federations around the world).

Then you would have other problems, the most basic problem being how
to manage a dozen copies of your metadata.

> What I would like is for LIGO to be a use case that helps
> drive international interfederation between InCommon and other
> federations.

I don't believe there is any such thing. Federation is between an IdP
and an SP. Interfederation is between an IdP and an SP in different
federations.

InCommon Operations doesn't get in the middle of the relationship
between an IdP and an SP. I don't think we (Ops) want to change that.

>> and
>> there may be enough benefit in that to warrant a centralized service
>> (there often is) but certainly LIGO can deploy a metadata aggregator
>> and get the ball rolling without assistance from Ops.
>
> Yes, I think that is what has been done with Stephen's help.
> :-)

Well, no, Stephen's metadata aggregator represents an untrusted 3rd
party. There is no basis to trust his signing key, so LIGO needs to
own this operation (or at least that's the way I see it).

> I would like to see InCommon Ops begin to think about how to
> evolve it so it can become and InCommon service more generally
> useful than for just LIGO.

I have, and I hinted about such a service in my previous message.

> I think it will be more than useful if InCommon Ops can put
> together an aggregate that has some level of vetting, probably
> determined by a mutual negotiation between InCommon and the UK
> federation (and other federations eventually), and then let
> the individual InCommon entities decided which other entities
> to trust, just as can be done now with the standard InCommon
> metadata feed.

That's essentially equivalent to what I described earlier except that
the order of operations is different. First you tell me what other
entities you want to trust and then I will securely assemble the
corresponding entity descriptors into an aggregate that you can
consume. Does that meet your needs?

> In short, I am not asking InCommon Ops to make all my trust
> decisions for me. I am asking InCommon Ops to manage a
> "platform" that makes it easy for me as an InCommon member to
> manage trust relationships with international partners.

I think we can do that but the implementation I have in mind is
different than the implementation you're thinking of. In the end, we
arrive at the same thing so I don't think the implementation matters.
(Well, it actually does matter to me since the implementation I have
in mind precludes the need for InC Ops to make a trust decision on
behalf of an InCommon entity.)

Tom