Interfederation

["Basney, Jim" <>]

Proposed agenda for June 4 call (next week):

* Value proposition for InCommon joining eduGAIN

Unfortunately some will miss next week's call due to TNC2013.

Minutes from May 28 call:

attending: JimB, IanY, ScottC, ScottK, TomS, ChrisP, JohnK

Regrets from SteveC. ChrisP and JohnK arriving late.
Today's topic: http://edugain.org/policy
Can InCommon do what eduGAIN requires?
Does eduGAIN do what InCommon requires?
Policy Declaration seems reasonable.
Policy requires federation to comply with entire Policy Framework.
IanY: Changes to Policy Framework much better managed now.
IanY: Note that it's a unilateral declaration, not an agreement.
Since it doesn't form a contract, enforceability is very limited.
Don't want a legally liable organization in the center (eduGAIN).
ScottK: Could LIGO join eduGAIN?
IanY: Not explicitly ruled out but there would be questions.
Might be concern about federations not at nat'l level hurting
governance/voting process.
Next discussing Constitution v2.0:
Note GEANT Exec as eduGAIN Executive Committee.
SteveC had a question about future plans for GEANT role.
GEANT funds it, so natural for them to control.
NREN CEO Forum discussing strategic plans related to eduGAIN.
About 20 NRENs represented in this forum.
SteveC could ask ShelW about this?
eduGAIN Steering Group (one vote per federation) has significant
control.
Current docs represent a rebalancing of control between executive
committee and steering group. Past concern about rigidity of
executive committee. Now steering group is driving force and executive
committee is mainly ratifying board. Also separate policy group that
generates docs to bring to steering group.
Requirement for publishing registration practice statement fairly weak
in practice. Probably https://www.incommon.org/policies would meet
this requirement.
Past concern that eduGAIN requirements might change without sufficient
representation by members.
Constitution now discourages mandatory requirements being added
post-facto.
Mundane changes require majority vote of active steering group members.
Changes to constitution require two-thirds of current members.
If not explicitly in Section 3.1 of constitution, then not mandatory
for participant federations.
Adding new mandatory requirement requires change to Section 3.1 which
requires two-thirds vote.
Section 3.1 of constitution doesn't lock to specific version of
metadata profile. Could be changed with simple majority vote?
Similarly declaration doesn't say which version of constitution is in
force. That way members don't need to re-sign the declaration when
constitution changes. Members can always leave per Constitution
Section 3.4 (leaving eduGAIN).
New metadata profile has better focus - only describing metadata sent
to eduGAIN by federations. No longer talks about consuming metadata.
Any changes required by InCommon to support Metadata Profile v3?
* InCommon would need to add RegistrationInfo elements.
Constitution refers to "eduGAIN SAML 2.0 Metadata Profile" but this
document doesn't have 2.0 in the title.
Note eduGAIN Metadata Profile v3 requires conformance to
http://docs.oasis-open.org/security/saml/Post2.0/sstc-metadata-iop.pdf.
JohnK has concerns about requirements brought in by sstc-metadata-iop:
* everything in metadata is "true"
* MUST remove compromised keys
ScottC says IOP is not a policy document. Telling implementer to not
create additional policy layers -- act as if metadata is true.
IanY: Metadata profile doesn't address registration practice/policy.
JohnK: Policy Declaration #4 requires notification of change in
validation of entities. But no eduGAIN requirements on registration of
domains?
IanY: eduGAIN provides links to federation registration practices, but
not requirements on those practices.
JohnK: eduGAIN as a policy framework versus eduGAIN as a service.
JohnK: eduGAIN framework doesn't give enough help to federation
operators when helping participants trust other entities, because
there are no requirements on registration practices.
IanY: Yes, having to go through the federation documents individually
is more work for federation operators, versus some eduGAIN level
guarantees.
TNC2013 next week.
ScottK hoping for discussion in 2 weeks about InCommon perspective of
eduGAIN. He needs statement to give to LIGO.
JohnK: Still struggling to see what eduGAIN gets us.