interfed - [inc-interfed] Mar 5 notes / Mar 12 agenda
Subject: Interfederation
List archive
- From: Jim Basney <>
- To: <>
- Subject: [inc-interfed] Mar 5 notes / Mar 12 agenda
- Date: Tue, 5 Mar 2013 13:18:14 -0600
- Authentication-results: sfpop-ironport04.merit.edu; dkim=neutral (message not signed) header.i=none
- Openpgp: id=0A33BE15; url=http://www.ncsa.illinois.edu/~jbasney/pgp.asc
Our hot topic for next week's call is:
Can a privacy framework (Code of Conduct, etc.) help our near-term
federation use cases? Or is it too hard and we leave attribute release
to be worked out directly between IdPs and SPs (for now)?
Steven Carmody agreed to kick off our discussion next week with a review
of the current Code of Conduct work.
My summary from the call today is:
* General agreement on the InCommon SP + "foreign" IdP use case.
* Validation of ownership of entityID and scope is a requirement
for interfederation but is it domain validation or organizational
validation?
* Other requirements on technical and behavioral trust is an
open question.
-Jim
-----
attending: JimB, ScottC, SteveC, SteveT, PaulC, MarcS, IanY, JohnK, TomS
PaulC: Brief description of Authentication Gateway / Proxy IdP
At San Diego Quilt meeting, discussed authn gateway that returns
SAML but supports many authn protocols at front-end (LDAP, database,
CAS, WS-fed, SAML). Can be done with SimpleSAMLphp.
Good initial step to bring small institutions into the fold.
MarkS: This is for K-12 & community colleges that might not have
resources to run IdP directly.
3 working groups looking at options: pilots, technical, admin/policy
regionals leveraged to help small institutions engage with InCommon.
discussion pilots to test this out. regionals and U Alaska system
looking to run authentication gateways.
Use case:
An InCommon SP (example: LIGO wiki) accepts authentication from both
"international" IdPs (i.e., IdPs in other national federations) and
InCommon IdPs, where:
* The SP doesn't need to sign agreements with federations
other than InCommon.
The "international" IdP doesn't need to join InCommon.
* The SP gets all IdP metadata from InCommon.
IdP gets SP metadata from its local federation.
* The SP registers its metadata with InCommon and doesn't
need to separately send its metadata elsewhere.
IdP registers its metadata with local federation.
* This use case does not disrupt other SPs that only want to accept
InCommon IdPs.
Jim suggests we put the inverse use case ("international" SP with
InCommon IdP) on the back burner at least for today.
JohnK: change "international" to "external"?
more portable language, but don't want to lose specificity.
"international" is proxy for another legal jurisdiction?
"foreign" rather than "international"? "alien"?
Columbia University publishing house and German IdP use case
legal jurisdiction is an important consideration here
particular privacy issues with IdP in EU
who ends up being responsible for privacy agreements?
federation takes care of? federation mediates agreements?
asymmetrical: US IdPs releasing ePPN to Europe
this is a behavioral trust issue?
Ian: interfederation can't try to resolve all trust decisions at
higher levels for all members
technical trust:
what do IdP and SP need before they're ready to interfederate?
IdP/SP is truly owned by the organization? or domain validation?
Ian: domain ownership is most important
organization name in metadata is a federation-validated canonical name
interesting but not required?
domain validation more critical than organizational validation?
need to handle outsourcing use cases; delegation of permission
ownership verified for domains used as entityID or scope
domain validation is a critical requirement for UK federation
domain validation of other URLs in metadata?
not currently in UK. worthy of discussion.
what is the risk? assertions going to "someone else".
UK performs "sanity checks" on "non-critical" entries
like ACS URLs.
if InCommon were to place a rule on ACS URLs, it'd be unlikely to
impact many UK entities
we agree domain validation of entityID and scope is key
ScottC: risk of domain validation: EV versus DV certs
validate "duly appointed representative of the organization"
InCommon and UK do organizational validation of members
would mechanical domain validation be sufficient?
this is underlying assumption of PEER initiative
some type of "sponsorship" process?
federation member "vouching" for external entity?
how to resolve entity conflicts?
UK has a priority list of sources (PEER would be last)
eduGAIN has first-come first-served
behavioral trust out of scope for interfed?
privacy policy? R&S category?
widely varying interpretations for release of PII (Columbia example)
national federations in Europe all have differing interpretations of
privacy laws
REFEDS work item on extending Code of Conduct outside EU
entity would self-assert a tag (like safe harbor)
SteveC will present Code of Conduct next week
- [inc-interfed] Mar 5 notes / Mar 12 agenda, Jim Basney, 03/05/2013
Archive powered by MHonArc 2.6.16.