Refeds


Subject Re: draft charge, refeds working group on attribute release
From David Chadwick <d.w.chadwick@xxxxxxxxxx>
Date Fri, 01 Jul 2011 21:01:56 +0100

But once they have added all the crypto to JSON it wont be any simpler than XML, which is what they are trying to get away from.

David

On 01/07/2011 20:00, Lucy Lynch wrote:
On Fri, 1 Jul 2011, David Chadwick wrote:

I think we should accept that Facebook and its Authn API forms the
basic LOA 1 federation of the Internet. No assurance, no validity of
user claims. But they will (almost always) come from the same user as
self asserted attributes.

Where academic federations can add real value is by moving to LOA 2
and making that the basic minimum necessary to join. This adds real
assurance to SPs. (Nicole. this may be where we diverge in opinion I
believe, since the UK AMF does not provide such assurance. It should).

Folks may want to take a look at the current OpenID Connect work and
the plans for combining this extended model with OAuth and JSON based
tokens:

OpenID Connect
http://openidconnect.com/

Current OAuth 2.0 draft
http://tools.ietf.org/html/draft-ietf-oauth-v2-16

WOES - Web Object Encryption and Signing
Draft Charter:
http://www.ietf.org/mail-archive/web/woes/current/msg00077.html
Drafts: http://datatracker.ietf.org/doc/draft-rescorla-jsms/
http://datatracker.ietf.org/doc/draft-jones-json-web-signature/
https://datatracker.ietf.org/doc/draft-jones-json-web-token/

- Lucy



regards

David


On 01/07/2011 09:11, Licia Florio wrote:
> Hi Mikael,
>
> I think you provided a very good summary of the discussion so far.
>
> I think federations are not there to compete with facebook (and alike),
> although if a user-community being in the position to choose decided to
> go for facebook, then maybe federations should wonder if their
marketing
> is good enough.
>
> I do believe that it is important for REFEDS (especially in light of
> inter-federation discussion) to engage with different communities
and at
> least try to explain to them the benefits of using NRENs federations,
> but ultimately it will be up to them to decide.
>
> We do know that especially for SPs offering their services to different
> federations can be a pain, so maybe we should try and make some of the
> processes easier.
>
> So I think the message for the IRISC workshop in September should
> something like "this is what you get using id-federations;
> id-federations are happy to support you; this is what you get using
> openId-facebook, up to you to decide". I don't think there is much more
> we can do really.
>
> cheers,
> Licia
>
>> Hi,
>> A few comments on some mails on the list today.
>>
>> People have doubts if we should put at all effort on making our
federations serve the researchers' needs. As long as our federations
are operated by NRENs (Research and Education Networks) I can't
imagine any other answer than yes we should. As Leif and David wrote,
it's an opportunity for us.
>>
>> Nicole wrote that there are just few scientific resources in any
federations. True, but in Kalmar union, I have realized that the
scientific resources' weight grows in an interfederation, because
research is international and the researchers from different countries
collaborate and share scientific resources (such as data, services,
machines, instruments...). When the CLARIN community (the language
research network, www.clarin.eu) heard of Kalmar, they registered SPs
to it even from Germany and the Netherlands. Via Kalmar, they get all
the Nordic linguists to their SPs. I have started to believe that
scientific resources will be the killer application for
interfederation and we should study them more.
>>
>> I agree with Nicole that if the researchers are happy with
OpenID/Facebook identities, then we don't need to care about them. But
OpenID can't provide reliable LOA and affiliation attributes, which
makes researchers need our federations. Josh said affiliation
attribute is interesting just for publishers. I would add that also
researchers are interested in affiliation, because several scientific
resources are permitted only for research use (ePA=faculty).
>>
>> Chad wrote the researchers should come to us with firm
requirements. True, but we should help them to articulate those
requirements, because we are the experts in identity and federations.
We needed more structured discussion with them. Facilitating that
discussion has been a motivation for the IRISC workshop
(http://irisc-workshop.org/irisc2011-helsinki/) in September next to
the REFEDS meeting. Hopefully I'll see many federations people there,
as well.
>>
>> Nicole wanted evidence that research communities want a simple
customer experience. I have been talking with the CLARIN project for a
couple of years (they also visited a TF-EMC2 meeting some years ago).
CLARIN has 7 (in the long run 25) SPs delivering linguistic data to
linguists in 176 IdPs which spread all over Europe. CLARIN has made a
statement that as long as eduGAIN (or any other interfederation) has
an opt-in process for downlink metadata (i.e. an SP admin needs to
persuade 176 IdP admins to configure attribute release to their SP),
they are not going to use it. CLARIN people are coming to the IRISC
workshop to repeat this statement, and their speak is scheduled right
after Valter's eduGAIN presentation. ;)
>>
>> Cheers,
>> mikael
>>
>
>

--

*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
School of Computing, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick@xxxxxxxxxx
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site:
http://www.cs.kent.ac.uk/research/groups/iss/index.html
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5

*****************************************************************



--

*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
School of Computing, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick@xxxxxxxxxx
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5

*****************************************************************