Skip to Content.
Sympa Menu

interfed - Re: [inc-interfed] Apr 2 notes / Apr 9 agenda

Subject: Interfederation

List archive

Re: [inc-interfed] Apr 2 notes / Apr 9 agenda


Chronological Thread 
  • From: Tom Scavo <>
  • To: Interfederation TAC Subgroup <>
  • Subject: Re: [inc-interfed] Apr 2 notes / Apr 9 agenda
  • Date: Wed, 3 Apr 2013 18:02:52 -0400
  • Authentication-results: sfpop-ironport01.merit.edu; dkim=pass (signature verified)

On Wed, Apr 3, 2013 at 5:59 AM, Ian Young
<>
wrote:
>
> On 2 Apr 2013, at 22:06, Tom Scavo
> <>
> wrote:
>
>>> scopes in 3 places are all identical in UK metadata.
>>> scopes in 2 places are all identical in InCommon metadata.
>>
>> There's a strict interfederation requirement lurking here: Scope is an
>> entity characteristic that is best expressed at the role level.
>
> It's not clear to me what you think the requirement is here, or who would
> be responsible for enforcing it. Perhaps if you could write a short
> sentence with MUST or REQUIRED in it, it would be more obvious.

I just posted some sample normative text to the REFEDs mailing list.

> I can't think of a real reason to regard any particular behaviour in this
> area as REQUIRED for interfederation. It's entirely harmless, for example,
> to republish the same scopes at the EntityDescriptor level as are published
> at the role level.

I can't agree with that. Permitting that kind of redundancy will lead
to situations where different scopes are published at various levels.
In the very least it is semantically unsettling.

Btw, the MDRPI spec agrees (in spirit) with respect to both the
<mdrpi:RegistrationInfo> element and the <mdrpi:PublicationInfo>
element.

> I happen to disagree about Scope being best expressed at the role level

Then we would have a larger problem since the metadata for an IdP
Proxy contains both an <md:IDPSSODescriptor> element and an
<md:SPSSODescriptor> element, and you wouldn't want to put a
<shibmd:Scope> element in the <md:Extensions> element of the
<md:EntityDescriptor> element in that case.

>>> scope regexp="false" always specified for InCommon.
>>
>> Another interfederation requirement: explicit regexp="false"
>
> I think in this case it's clearer what you mean when you say this is an
> interfederation requirement: like me, you feel that regexp="true" scopes
> from interfederation partners are too gnarly to be trusted almost
> irrespective of how careful your partner is, so you see potential harm in
> republishing them.

Yes, thank you for stating this with such clarity. I totally agree.

Thanks,
Tom

PS. I'll come back to the MDUI DisplayName / OrganizationDisplayName
issue later.



Archive powered by MHonArc 2.6.16.

Top of Page