Interfederation

[John Krienke <>]

A good list. Some additions below. I'll try to write up a few other things 
separately as well.

On 5/28/13 4:15 PM, Basney, Jim wrote:
> Following on to our phone discussion today, some thoughts on the value
> proposition for InCommon joining eduGAIN.
>
> Benefits:
> * Multilateral exchange of metadata across established federations.
> * Directory of federation contacts and links to policy docs at
>    http://www.edugain.org/technical/status.php.

We don't really get the first benefit without the big cost of determining trust 
described below. So what is the remaining benefit? I see a few:

* Shared Metadata profile that addresses security of MD
* Shared Attribute profile
* Shared governance on requirements and recommendations for international 
federation operations and policy
* Few constraints on independent policy and operations (Ian spoke about this on 
the call, if I captured this well. I mentioned that the flip side of this coin 
is risk, which I noted below).

> Costs:

The biggest one is:

* Effort to analyze each federation's RPS and other policies to determine 
trustworthiness of metadata.

Once this is accomplished, we can start providing a trustworthy aggregate. One 
of the questions on the table is, can we provide an untrustworthy aggregate that 
would be of some use beforehand? This is one of those questions. Is there value 
in a technical aggregation of metadata sources that contains no claims of trust, 
ownership, veracity, or validity? It's a real question. I hear some edging 
toward yes, and I'm trying to understand why that is. Does this create a race to 
the bottom in trust?

> * Legal effort to sign eduGAIN declaration.
> * Effort to add RegistrationInfo elements to InCommon metadata.
> * Effort to publish interfed metadata aggregate to InCommon members.
> * Ongoing participation in eduGAIN steering group.
> * Handling interfederation technical support, complaints, and incidents.
>
> Non-benefits:

Perhaps we should call non-benefits, Risks. I would word some of the other 
risks as:

* No claims about security of md registrations and veracity of md ownership 
(source)
* No claims about security or possession of keys or domains in md (content)
* No claims about organizational naming or misnaming of entities listed in md 
(ownership)


> * No consistent standard for entity registration.
>    Need to check each federation's registration practice statement.
> * No consistent level of assurance of identities.
> * SPs need to negotiate attribute release directly with IdPs.

john.