Interfederation

[Ian Young <>]

On 16 Apr 2013, at 23:38, Tom Scavo 
<>
 wrote:

> On Tue, Apr 16, 2013 at 1:03 PM, John Krienke 
> <>
>  wrote:
>> 
>> 2. we don't require a technical contact in metadata.
> 
> Yes we do (https://spaces.internet2.edu/x/BomKAQ) and in fact, this is
> so important we would consider doing the following as well:
> 
> - If an entity descriptor does not have at least one technical contact
> in metadata, it will not be added to an export aggregate.

That seems redundant if you always require it anyway, or am I missing 
something?

> - If an inbound entity descriptor does not have at least one technical
> contact in metadata, it will be dropped on the floor (to use Ian's
> metaphor).

I used punched cards a couple of times in my youth, and the image stuck with 
me ;-)

That kind of constraint won't cause any problems with the UKf in particular 
in the short term, but I think if you go down that road it may well bite you 
eventually.  The UKf machinery doesn't require any particular contacts to be 
present, and I don't think the consequences of letting entities without a 
technical contact through are serious enough that I'd want to change that.

There are a couple of reasons we've taken that position.  One is that the 
metadata specification is silent on the meaning of each of the different 
contact types.  The natural consequence of this is that the purpose you 
intend for "technical" may actually be served by some other contact type in 
metadata from a different registrar.

The more serious problem is that Contact information is clearly intended to 
refer to a *person*, which means that federations which are extremely 
cautious about data protection may wish to move away from publishing it to 
comply with what they see as their obligations under local privacy 
legislation.  Saying "we won't accept any of your entities unless you break 
the law as you see it" is a very simple statement to make, but one you're 
unlikely to make much headway with should it come to that.

For the avoidance of doubt, I'm not saying that such a concern would be 
justified either for the UKf (which recommends that the technical and support 
roles should not be personal accounts, but cannot guarantee that they are) or 
for anyone else.  With the FUD surrounding EU DP legislation, though, that's 
not the relevant consideration.  We felt that the eduGAIN service had no 
business interpreting the law on behalf of all participant federations and as 
a result the revised eduGAIN metadata profile no longer requires any 
particular contact information.

Today, I'm glad to say, all the entities in both the UKf and eduGAIN export 
aggregates *do* include "technical" contacts.  I'm just saying that (a) that 
may not be true forever and (b) they may not mean what you think they mean.

        -- Ian

Attachment: smime.p7s
Description: S/MIME cryptographic signature