Interfederation

[Jim Basney <>]

Ian,

Thanks for sharing the UKFTS (Federation Technical Specifications) doc
(http://dl.dropbox.com/u/236274/FTS-1.4-20130322.pdf).

Below are some thoughts I had while reading it.
Maybe good topics for discussion on tomorrow's call.


The doc proposes registrationAuthority="https://incommon.org"; for
InCommon's entities. Maybe we could make a proposal to InCommon TAC to
formally adopt this value. Not saying InCommon would start including it
in metadata anytime soon. Just saying InCommon could decide on what the
value should be as a small step forward (if it's not decided already).


I think InCommon satisfies the following:

"Entity owners registering metadata containing <shibmd:Scope> elements
MUST demonstrate that each domain used is either owned by them, or that
specific permission has been given to them to use the domain for the
purpose of registering the entity. Federation partners are required to
have broadly similar registration practices around the domain names
registrants are permitted to use in <shibmd:Scope> elements."

- and -

"Federation partners are required to have broadly similar registration
practices around the domain names registrants are permitted to use in
http-scheme and https-scheme URIs used as entityID values."


I see that UK federation gives some flexibility to federation partners
around the <Organization> element:

"The contents of the <Organization> element in metadata for imported
entities is entirely determined by the originating registrar's
registration practices."

Though earlier the doc describes an intention to "provide a comparable
level of technical trust in imported metadata as for local metadata" so
it's still valuable to compare InCommon practices around the
<Organization> element with Section 3.9 of the UKFTS doc and see how
that compares with LIGO needs.


Other things I found particularly interesting
(if I understood correctly):

UK federation uses a single key to sign multiple metadata aggregates.

Entities owned by UK federation members "in good standing" are labeled
with <ukfedlabel:UKFederationMember/>.

UK federation members can self-assert <ukfedlabel:AccountableUsers/>.
(How does this compare with InCommon Bronze, I wonder.)

Non-production (and imported) IdPs have <wayf:HideFromWAYF/>
(planned to be replaced by an entity category).


Regards,
Jim

On 3/26/13 1:11 PM, Ian Young wrote:
> Here is the covering note I sent to our TAG members the other day 
> describing the draft technical documents I mentioned in today's call.  The 
> more relevant one for our current discussion is the UKFTS (Federation 
> Technical Specifications), most of the relevant material is in section 3.  
> Most of the parts of section 3 that have change bars in the draft are worth 
> skimming, with the exception of 3.10 and 3.11.
> 
> All of 3.9, even the old text, is probably of interest to the LIGO use case.
> 
>       -- Ian
> 
> Begin forwarded message:
> 
>> From: Ian Young 
>> <>
>> Subject: initial draft of UKFTS 1.4
>> Date: 22 March 2013 18:02:16 GMT
>> To: 
>> 
>> Reply-To: Ian Young 
>> <>
>>
>> Dear TAG members,
>>
>> As you will recall from the last couple of meetings, I have for some time 
>> been preparing a new edition of the two base technical documents for the 
>> UK federation, to become UKFTS and UKTRP edition 1.4.  I think it would be 
>> realistic to aim for releasing this new revision after consideration at 
>> the next TAG meeting, which will be in Edinburgh on April 16th.
>>
>> To give everyone the maximum time to consider the substantial additional 
>> content for this edition (the current UKFTS draft is 11 pages longer than 
>> 1.3.1) I have prepared snapshots of the current drafts for download:
>>
>> UKFTS: http://dl.dropbox.com/u/236274/FTS-1.4-20130322.pdf
>>
>> UKTRP: http://dl.dropbox.com/u/236274/TRP-1.4-20130322.pdf
>>
>> The more we can review in the next week or so, the less we'll have issues 
>> we need to discuss in the Edinburgh meeting.  So I'd greatly appreciate 
>> any review feedback that TAG members can provide.
>>
>> The main areas covered by the current draft are:
>>
>> * Inter-federation metadata exchange and its implications,
>>
>> * The previously discussed trust fabric evolution, in which we move away 
>> from 1024-bit keys and the use of PKIX,
>>
>> * Much more documentation of the UK federation's use of metadata 
>> extensions such as MDRPI and MDUI.
>>
>> * A new proposed transition to the use of a stronger digest algorithm in 
>> metadata signatures, in accordance with NIST recommendations to entirely 
>> discontinue the use of SHA-1 for digital signatures after 2013.
>>
>> There is much more material which could usefully be included in a 1.4 
>> revision (more about the export aggregate, usage of domains and synthetic 
>> scopes, and potentially a high-level registration practice statement), and 
>> if I develop additional content to the point where I think it is polished 
>> enough to be included I will present new drafts before the meeting.  
>> However, I'm sure you will all be aware that writing this kind of material 
>> is quite tricky and as a result I expect most of that to need to be left 
>> for a later edition, probably towards the end of 2013.
>>
>> Enjoy,
>>
>>      -- Ian
> 
>