Interfederation

[Jim Basney <>]

Hi,

My notes from today's call are below.

Next week's agenda is TBD. Feel free to add your agenda items to the
wiki (https://spaces.internet2.edu/display/incinterfed).

Checking the email list membership, it appears the Friday webinar didn't
yet attract anyone new to join us.

-Jim

-----

attending: JimB, LeifJ, IanY, MarkS, TomS, SteveC, ScottC, ScottK, JohnK
LeifJ intro to Project Mario
  very new, lightweight initiative by eduGAIN, ISOC, and PingID
  establish global testbed for interfederation
  interested in InCommon participation
  policy or technology focused? technology.
  Ping active in govt and SAAS projects. addressing tech issues.
  looking at MDX, entity categories
  aggregator implementations implement webfinger to enable
    metadata consumer to find metadata feeds
    not meant to modify trust properties of the system
    operational/discovery/management feature
  write specs, run testbeds
  OIX, Kantara metadata, "fake" eduGAINs
  how do we get involved? Join Google Group:
    https://groups.google.com/forum/?fromgroups#!forum/project-mario
    in partner gathering phase.
  thinking beyond metadata aggregation?
    per RP metadata feeds a big first step
    getting to full dynamic is going to take a couple years
  related to BGP modeling? discussion informed by this analogy.
  should we "jump a generation"?
    rather than getting products to support what's running out of
      steam for us today
    metadata is routing tables; need routing protocols for updates
  SAAS vendors working with Ping want to work with I2 Net+
  value proposition: end entity key roll-over
  Leif sees SAML metadata adoption becoming mainstream for commercial
    vendors
  what are short-term goals?
    create a few metadata aggregators: filtered MDX, webfinger
      demonstrate interop. set up experiments.
  "testbeds as a service"
  zero hope short term to get commercial vendors to support dynamic
    metadata acquisition; tailored feeds is best hope
    getting them to update metadata at all automatically would be huge
  can we start interop testing?
MarkS:
  UNC federation - Steven Hopper very interested in discussing
    state system interfed but conflict with our call time
    happy to have him join call when he can & also email list
  R&E networks InCommon interfed: discussion around IdP gateways,
    metadata aggregator - Quilt group
    Paul Caskey will give update next week on this.
Take-aways from Friday's TAC Community Update webinar
  challenges/hurdles:
    non-US privacy laws
    inter-fed onboarding challenges similar to in-federation?
    retroactive changes in fed membership agreements for inter-fed
  use cases:
    InCommon member publishing journal w/ intl subscriptions
      doesn't require identities, just license info
      Alan Crosswell (Columbia)
    interfed with state agencies & other verticals beyond higher ed
      Marc Jones
  any new members on our email list since Friday? No.
  Would be interesting to compare
    COUNTER Code of Practice with Geant Code of Conduct
    REFEDS work item on code of conduct
Canonical Interfed Use Case: TomS, ScottK, SteveC
  discussion of "entities that the UK passes along to InCommon and
    that InCommon makes available as a feed ... in good standing"
  what is "in good standing"?
    a known entity. operating in compliance with minimum set of controls.
    related to JohnK's entity visibility & trust in entity state
    have domains been checked for proper ownership?
  what is meaning of InCommon digitally signing a document (metadata)?
    would we need different keys for different metadata aggregates?
  if we have criteria for "good standing",
    we'd filter on that when creating metadata aggregate
    or push tags and let RP filter locally
  is InCommon willing to sign things that it's not authoritative for?
    essential for scaling?
  look to UK example: InCommon produce multiple aggregates
    not an infinite number.
    less than 5? matching generally useful properties.
    ex. test entities versus production entities (tagged)
  LIGO testing proceeding with Cardiff test IdP
    (and test IdP wouldn't be in production aggregate?)
JohnK's Google Drawing about LIGO use case
  areas to address:
    entity visibility: basic metadata exchange
    trust in the entity's state: assurance, categories
    trust in the entity's intentions and actions: attribute release
  for LIGO-Cardiff use case, need to share both IdPs and SPs
  fundamental difference between adding IdPs versus adding SPs?
    UK makes no expectation of trust in SPs?
    InCommon concerned about exposure of attributes to external SPs
    what if external federation imposes similar requirements on SPs?
    SP requirements come from InCommon membership agreement