Subject Re: Comparison of eP(S)A values
From Keith Hazelton <hazelton@xxxxxxxxxxxxx>
Date Thu, 01 Oct 2009 11:14:24 -0500

Seems reasonable to request MACE-Dir to do updates to the eduPerson spec. Back with more info shortly.

            --Keith Hazelton
On Oct 1, 2009, at 04:02, Andrew Cormack wrote:

-----Original Message-----
From: Keith Hazelton [mailto:hazelton@xxxxxxxxxxxxx]
Sent: 22 September 2009 15:31
To: Andrew Cormack
Cc: REFeds; Mikael Linden; mace-dir
Subject: Re: [refeds] Comparison of eP(S)A values

Andrew, Mikael:

In the spirit of your conclusion, unless there are driving real world
use cases where the value "employee" becomes critical in an
interfederation context, it's probably not worth spending precious
cycles worrying our brains about it.

We very much hope that's the case

In general, MACE-Dir folks would like to know if there are real world
or planned usage scenarios for each of the other values.

As far as I know, the GN3 project is developing a set of use cases to
look at, so I'd hope that could either identify those requirements, or
else increase the likelihood that they don't exist.

My personal suspicion, and I've not yet found any counter-examples, is
that real-world access control (particularly for cross-domain
applications) either depends on simple membership of a particular
organisation or on being a particular person. There are some useful
groupings of particular people - students on course X is an obvious one,
or budget holders - but those seem to be ad hoc lists of particular
people rather than being derived from any other characteristic. Even if someone did try to implement an access rule that, for example, included faculty but excluded students then there are sufficient individuals who
are in both groups (most PhD students!) that the rule would be pretty
leaky anyway. Within a single organisation there may be use cases that
depend on things like "does this person have an employment contract",
but there the IdP and SP are going to be in the same management domain
so shouldn't suffer from different definitions of a particular value.

Finally, the trickier questions:  Should the eP spec be revised to
include something like your bolded definitions?  If so, what is the
process and who should be involved, who (or what organization) should
issue it.  If not, should your document be considered to "profile" eP
for inter-federation scenarios?

If possible, I'd much prefer simple definitions to be included in the
eduPerson spec. Putting them in an inter-federation profile risks
another federation discovering that they have chosen the wrong
interpretation only when they think about inter-federation, i.e. *after*
they have rolled it out to tens or hundreds of IdPs and SPs :-(

I don't know what the process for updating that spec is, but if there's anything I can do to help, please let me know. The suggested definitions in our paper are very much suggestions, but I'm very happy to make them
freely available if they are useful.


            I can imagine how painstaking the efforts were in pulling
together that document,  thank you.   --Keith
On Sep 22, 2009, at 04:12, Andrew Cormack wrote:


[Could one of you forward this to MACE-DIR, if appropriate, since
pretty sure it'll reject my attempt to post there?]

Many thanks for the feedback and for giving it time on the MACE-DIR
agenda. All suggestions, corrections and comments very welcome. I'm
planning on producing a final version of the paper after the Refeds
meeting in Rome on the 20-somethingth of October (that meeting
also produce some slides to accompany the paper). Comments in-line

-----Original Message-----
From: Keith Hazelton [mailto:hazelton@xxxxxxxxxxxxx]
Sent: 21 September 2009 20:49
To: refeds@xxxxxxxxxx
Cc: Andrew Cormack; Mikael Linden; mace-dir
Subject: Re: [refeds] Comparison of eP(S)A values

We'll be talking over this usage comparison doc on today's MACE-Dir

Please consider the following an historical note:

The value "employee" was included in the controlled vocabulary for
eP*A since the first release of eduPerson (1.0, Feb., 2001).  I
distinct memories (but no documents) that we included that
specifically to cover the UK case where teachers, researchers and
other workers are lumped under a single term.  "Employee" was
intended to serve as this single term.  Unfortunately this intended
usage was never made explicit in the eduPerson specification.
According to Andrew and Mikael's usage comparison, the UK term of
preference would be "staff" rather than "employee."

Indeed it seems we latched onto "staff" as having that meaning,
everyone else followed the US in using that for
and either used "employee" more or less as intended or ignored the
category. Sigh, especially if the whole reason for creating it was
meet the UK requirements :-(

I bring this up only because the proposed definition in the REFEDS
document is "staff" are "workers other than teachers or
researchers."  This would seem to go against UK Access Management
Federation usage.  Is this particular category of affiliation worth
further discussion?

Indeed it is the reverse of our current usage, but it seems to be
everyone else uses it for, so I felt the document should go with the

I've suggested internally that we have a think about how much pain
be caused for UK federation IdPs if we were to ask them to swap
over the
terms, and for SPs in coping with a period of transition where the
meanings of both "staff" and "employee" will depend on whether or
the IdP concerned has switched. I'm hoping that not too many SPs
decided to use that value in their authorisation decisions so that
a few are affected and we can persuade them that it's not

Overall I'm viewing "staff" as a problem that only requires us to
to fix it, whereas the use of "employee" is much more varied so if
want to standardise it then several federations will need to change
their current practice.

Best wishes


Andrew Cormack, Chief Regulatory Adviser
JANET(UK), Lumen House, Library Avenue, Harwell Science and
Campus, Didcot, OX11 0SG, UK
Phone: +44 (0) 1235 822302
Fax: +44 (0) 1235 822399

JANET, the UK's education and research network

JANET(UK) is a trading name of The JNT Association, a company
by guarantee which is registered in England under No. 2881024
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG