Subject RE: Comparison of eP(S)A values
From "Andrew Cormack" <Andrew.Cormack@xxxxxx>
Date Thu, 1 Oct 2009 10:02:42 +0100

> -----Original Message-----
> From: Keith Hazelton [mailto:hazelton@xxxxxxxxxxxxx]
> Sent: 22 September 2009 15:31
> To: Andrew Cormack
> Cc: REFeds; Mikael Linden; mace-dir
> Subject: Re: [refeds] Comparison of eP(S)A values
> Andrew, Mikael:
> In the spirit of your conclusion, unless there are driving real world
> use cases where the value "employee" becomes critical in an
> interfederation context, it's probably not worth spending precious
> cycles worrying our brains about it.

We very much hope that's the case
> In general, MACE-Dir folks would like to know if there are real world
> or planned usage scenarios for each of the other values.

As far as I know, the GN3 project is developing a set of use cases to
look at, so I'd hope that could either identify those requirements, or
else increase the likelihood that they don't exist.

My personal suspicion, and I've not yet found any counter-examples, is
that real-world access control (particularly for cross-domain
applications) either depends on simple membership of a particular
organisation or on being a particular person. There are some useful
groupings of particular people - students on course X is an obvious one,
or budget holders - but those seem to be ad hoc lists of particular
people rather than being derived from any other characteristic. Even if
someone did try to implement an access rule that, for example, included
faculty but excluded students then there are sufficient individuals who
are in both groups (most PhD students!) that the rule would be pretty
leaky anyway. Within a single organisation there may be use cases that
depend on things like "does this person have an employment contract",
but there the IdP and SP are going to be in the same management domain
so shouldn't suffer from different definitions of a particular value.

> Finally, the trickier questions:  Should the eP spec be revised to
> include something like your bolded definitions?  If so, what is the
> process and who should be involved, who (or what organization) should
> issue it.  If not, should your document be considered to "profile" eP
> for inter-federation scenarios?

If possible, I'd much prefer simple definitions to be included in the
eduPerson spec. Putting them in an inter-federation profile risks
another federation discovering that they have chosen the wrong
interpretation only when they think about inter-federation, i.e. *after*
they have rolled it out to tens or hundreds of IdPs and SPs :-(

I don't know what the process for updating that spec is, but if there's
anything I can do to help, please let me know. The suggested definitions
in our paper are very much suggestions, but I'm very happy to make them
freely available if they are useful.


>             I can imagine how painstaking the efforts were in pulling
> together that document,  thank you.   --Keith
> __________
> On Sep 22, 2009, at 04:12, Andrew Cormack wrote:
> > Keith/Michael
> >
> > [Could one of you forward this to MACE-DIR, if appropriate, since
> > pretty sure it'll reject my attempt to post there?]
> >
> > Many thanks for the feedback and for giving it time on the MACE-DIR
> > agenda. All suggestions, corrections and comments very welcome. I'm
> > planning on producing a final version of the paper after the Refeds
> > meeting in Rome on the 20-somethingth of October (that meeting
> > also produce some slides to accompany the paper). Comments in-line
> > below.
> >
> >> -----Original Message-----
> >> From: Keith Hazelton [mailto:hazelton@xxxxxxxxxxxxx]
> >> Sent: 21 September 2009 20:49
> >> To: refeds@xxxxxxxxxx
> >> Cc: Andrew Cormack; Mikael Linden; mace-dir
> >> Subject: Re: [refeds] Comparison of eP(S)A values
> >>
> >> We'll be talking over this usage comparison doc on today's MACE-Dir
> >> call.
> >>
> >> Please consider the following an historical note:
> >>
> >> The value "employee" was included in the controlled vocabulary for
> >> eP*A since the first release of eduPerson (1.0, Feb., 2001).  I
> >> distinct memories (but no documents) that we included that
> >> specifically to cover the UK case where teachers, researchers and
> >> other workers are lumped under a single term.  "Employee" was
> >> intended to serve as this single term.  Unfortunately this intended
> >> usage was never made explicit in the eduPerson specification.
> >> According to Andrew and Mikael's usage comparison, the UK term of
> >> preference would be "staff" rather than "employee."
> >
> > Indeed it seems we latched onto "staff" as having that meaning,
> > whereas
> > everyone else followed the US in using that for
> > and either used "employee" more or less as intended or ignored the
> > category. Sigh, especially if the whole reason for creating it was
> > meet the UK requirements :-(
> >
> >> I bring this up only because the proposed definition in the REFEDS
> >> document is "staff" are "workers other than teachers or
> >> researchers."  This would seem to go against UK Access Management
> >> Federation usage.  Is this particular category of affiliation worth
> >> further discussion?
> >
> > Indeed it is the reverse of our current usage, but it seems to be
> what
> > everyone else uses it for, so I felt the document should go with the
> > majority.
> >
> > I've suggested internally that we have a think about how much pain
> > would
> > be caused for UK federation IdPs if we were to ask them to swap
> > over the
> > terms, and for SPs in coping with a period of transition where the
> > meanings of both "staff" and "employee" will depend on whether or
> > the IdP concerned has switched. I'm hoping that not too many SPs
> > decided to use that value in their authorisation decisions so that
> > only
> > a few are affected and we can persuade them that it's not
> >
> > Overall I'm viewing "staff" as a problem that only requires us to
> > change
> > to fix it, whereas the use of "employee" is much more varied so if
> > want to standardise it then several federations will need to change
> > their current practice.
> >
> > Best wishes
> > Andrew
> >
> >>
> >>                --Keith
> >
> >
> >
> > --
> > Andrew Cormack, Chief Regulatory Adviser
> > JANET(UK), Lumen House, Library Avenue, Harwell Science and
> Innovation
> > Campus, Didcot, OX11 0SG, UK
> > Phone: +44 (0) 1235 822302
> > Fax: +44 (0) 1235 822399
> >
> > JANET, the UK's education and research network
> >
> > JANET(UK) is a trading name of The JNT Association, a company
> > by guarantee which is registered in England under No. 2881024
> > and whose Registered Office is at Lumen House, Library Avenue,
> > Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG
> >
> >