Subject Re: draft charge, refeds working group on attribute release
From Lucy Lynch <llynch@xxxxxxxxxxxxxxxx>
Date Fri, 1 Jul 2011 12:00:35 -0700 (PDT)

On Fri, 1 Jul 2011, David Chadwick wrote:

I think we should accept that Facebook and its Authn API forms the basic LOA 1 federation of the Internet. No assurance, no validity of user claims. But they will (almost always) come from the same user as self asserted attributes.

Where academic federations can add real value is by moving to LOA 2 and making that the basic minimum necessary to join. This adds real assurance to SPs. (Nicole. this may be where we diverge in opinion I believe, since the UK AMF does not provide such assurance. It should).

Folks may want to take a look at the current OpenID Connect work and
the plans for combining this extended model with OAuth and JSON based

OpenID Connect

Current OAuth 2.0 draft

WOES - Web Object Encryption and Signing
Draft Charter:

- Lucy



On 01/07/2011 09:11, Licia Florio wrote:
> Hi Mikael,
> I think you provided a very good summary of the discussion so far.
> I think federations are not there to compete with facebook (and alike),
> although if a user-community being in the position to choose decided to
> go for facebook, then maybe federations should wonder if their marketing
> is good enough.
> I do believe that it is important for REFEDS (especially in light of
> inter-federation discussion) to engage with different communities and at
> least try to explain to them the benefits of using NRENs federations,
> but ultimately it will be up to them to decide.
> We do know that especially for SPs offering their services to different
> federations can be a pain, so maybe we should try and make some of the
> processes easier.
> So I think the message for the IRISC workshop in September should
> something like "this is what you get using id-federations;
> id-federations are happy to support you; this is what you get using
> openId-facebook, up to you to decide". I don't think there is much more
> we can do really.
> cheers,
> Licia
>> Hi,
>> A few comments on some mails on the list today.
>> People have doubts if we should put at all effort on making our federations serve the researchers' needs. As long as our federations are operated by NRENs (Research and Education Networks) I can't imagine any other answer than yes we should. As Leif and David wrote, it's an opportunity for us.
>> Nicole wrote that there are just few scientific resources in any federations. True, but in Kalmar union, I have realized that the scientific resources' weight grows in an interfederation, because research is international and the researchers from different countries collaborate and share scientific resources (such as data, services, machines, instruments...). When the CLARIN community (the language research network, heard of Kalmar, they registered SPs to it even from Germany and the Netherlands. Via Kalmar, they get all the Nordic linguists to their SPs. I have started to believe that scientific resources will be the killer application for interfederation and we should study them more.
>> I agree with Nicole that if the researchers are happy with OpenID/Facebook identities, then we don't need to care about them. But OpenID can't provide reliable LOA and affiliation attributes, which makes researchers need our federations. Josh said affiliation attribute is interesting  just for publishers. I would add that also researchers are interested in affiliation, because several scientific resources are permitted only for research use (ePA=faculty).
>> Chad wrote the researchers should come to us with firm requirements. True, but we should help them to articulate those requirements, because we are the experts in identity and federations. We needed more structured discussion with them. Facilitating that discussion has been a motivation for the IRISC workshop ( in September next to the REFEDS meeting. Hopefully I'll see many federations people there, as well.
>> Nicole wanted evidence that research communities want a simple customer experience. I have been talking with the CLARIN project for a couple of years (they also visited a TF-EMC2 meeting some years ago). CLARIN has 7 (in the long run 25) SPs delivering linguistic data to linguists in 176 IdPs which spread all over Europe.  CLARIN has made a statement that as long as eduGAIN (or any other interfederation) has an opt-in process for downlink metadata (i.e. an SP admin needs to persuade 176 IdP admins to configure attribute release to their SP), they are not going to use it. CLARIN people are coming to the IRISC workshop to repeat this statement, and their speak is scheduled right after Valter's eduGAIN presentation. ;)
>> Cheers,
>> mikael


David W. Chadwick, BSc PhD
Professor of Information Systems Security
School of Computing, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick@xxxxxxxxxx
Home Page:
Research Web site:
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5