Subject Re: draft charge, refeds working group on attribute release
From John Bradley <ve7jtb@xxxxxxxxxx>
Date Fri, 1 Jul 2011 16:41:25 -0400

While it is true that signed and encrypted JWT will be more complicated than simple JSON.  

The complexity will be closer to SAML SimpleSign than XMLdsig.  

Facebook is currently using something similar (asymmetric only) to JWT called webkeys.

There is deployment experience on this.  We hope to be striking a good balance.  

SAML inherits a bad rap from XML canonicalization.  Simple sign  was an attempt to address that, but it was not picked up.

From a protocol point of view Facebook is arguably at LoA 2 using the web server flow.  
It is identity proofing and primary authentication where they lack.

That may not change anytime soon as being uncertain about users identities may provide a desirable plausible deniability for them.

Other providers like Google may be more interested in mechanisms to prevent account hijacking.

Many internet SP are not that concerned about traditional LoA,  they are more interested in profile info, even if it is self asserted.

Some of the NSTIC discussions are clearly predicated on the premise that SP-800-63 is only informative outside the Gov.
From NIST on June 29, 2011

NIST is pleased to announce the release of Draft Special Publication 800-63 Revision 1E-Authentication Guideline, for a third public comment period.  This publication is available on CSRC at

This publication supplements OMB guidance, by providing technical guidelines for the design of electronic systems for the remote authentication of citizens by government agencies. The revision represents an expansion and reorganization of the original document, broadening the discussion of technologies available to agencies, and giving a more detailed discussion of assertion technologies. Changes intended to clarify the pre-existing requirements are also included in the revision. 
Note that this document may inform, but is not intended to constrict or constrain the development or use of standards for implementation of the National Strategy for Trusted Identities in Cyberspace (NSTIC). NIST SP 800-63 is specifically designated as a guideline for use by Federal agencies for electronic authentication. NSTIC, in contrast, has a broader charge: the creation of an Identity Ecosystem, “an online environment where individuals and organizations will be able to trust each other because they follow agreed upon standards to obtain and authenticate their digital identities.” While NIST SP 800-63 may be a starting point for discussion on NSTIC, decisions on approaches to e-authentication in the Identity Ecosystem will be developed through a separate path. For more information, please see

Comments on the third draft of 800-63-1 will be accepted through July 29, 2011, and are encouraged to be submitted in the format provided in the Comment Template.
Please submit comments to eauth-comments@xxxxxxxx.

So I don't think we have all of the experience necessary yet to say what a interoperable LoA 2 like standard would be yet.

Hopefully LEGO will teach is something at LoA 1.

Not that federations and institutions should not attempt to be as secure as possible. 

John Bradley

On 2011-07-01, at 4:01 PM, David Chadwick wrote:

But once they have added all the crypto to JSON it wont be any simpler than XML, which is what they are trying to get away from.


On 01/07/2011 20:00, Lucy Lynch wrote:
On Fri, 1 Jul 2011, David Chadwick wrote:

I think we should accept that Facebook and its Authn API forms the
basic LOA 1 federation of the Internet. No assurance, no validity of
user claims. But they will (almost always) come from the same user as
self asserted attributes.

Where academic federations can add real value is by moving to LOA 2
and making that the basic minimum necessary to join. This adds real
assurance to SPs. (Nicole. this may be where we diverge in opinion I
believe, since the UK AMF does not provide such assurance. It should).

Folks may want to take a look at the current OpenID Connect work and
the plans for combining this extended model with OAuth and JSON based

OpenID Connect

Current OAuth 2.0 draft

WOES - Web Object Encryption and Signing
Draft Charter:

- Lucy



On 01/07/2011 09:11, Licia Florio wrote:
> Hi Mikael,
> I think you provided a very good summary of the discussion so far.
> I think federations are not there to compete with facebook (and alike),
> although if a user-community being in the position to choose decided to
> go for facebook, then maybe federations should wonder if their
> is good enough.
> I do believe that it is important for REFEDS (especially in light of
> inter-federation discussion) to engage with different communities
and at
> least try to explain to them the benefits of using NRENs federations,
> but ultimately it will be up to them to decide.
> We do know that especially for SPs offering their services to different
> federations can be a pain, so maybe we should try and make some of the
> processes easier.
> So I think the message for the IRISC workshop in September should
> something like "this is what you get using id-federations;
> id-federations are happy to support you; this is what you get using
> openId-facebook, up to you to decide". I don't think there is much more
> we can do really.
> cheers,
> Licia
>> Hi,
>> A few comments on some mails on the list today.
>> People have doubts if we should put at all effort on making our
federations serve the researchers' needs. As long as our federations
are operated by NRENs (Research and Education Networks) I can't
imagine any other answer than yes we should. As Leif and David wrote,
it's an opportunity for us.
>> Nicole wrote that there are just few scientific resources in any
federations. True, but in Kalmar union, I have realized that the
scientific resources' weight grows in an interfederation, because
research is international and the researchers from different countries
collaborate and share scientific resources (such as data, services,
machines, instruments...). When the CLARIN community (the language
research network, heard of Kalmar, they registered SPs
to it even from Germany and the Netherlands. Via Kalmar, they get all
the Nordic linguists to their SPs. I have started to believe that
scientific resources will be the killer application for
interfederation and we should study them more.
>> I agree with Nicole that if the researchers are happy with
OpenID/Facebook identities, then we don't need to care about them. But
OpenID can't provide reliable LOA and affiliation attributes, which
makes researchers need our federations. Josh said affiliation
attribute is interesting just for publishers. I would add that also
researchers are interested in affiliation, because several scientific
resources are permitted only for research use (ePA=faculty).
>> Chad wrote the researchers should come to us with firm
requirements. True, but we should help them to articulate those
requirements, because we are the experts in identity and federations.
We needed more structured discussion with them. Facilitating that
discussion has been a motivation for the IRISC workshop
( in September next to
the REFEDS meeting. Hopefully I'll see many federations people there,
as well.
>> Nicole wanted evidence that research communities want a simple
customer experience. I have been talking with the CLARIN project for a
couple of years (they also visited a TF-EMC2 meeting some years ago).
CLARIN has 7 (in the long run 25) SPs delivering linguistic data to
linguists in 176 IdPs which spread all over Europe. CLARIN has made a
statement that as long as eduGAIN (or any other interfederation) has
an opt-in process for downlink metadata (i.e. an SP admin needs to
persuade 176 IdP admins to configure attribute release to their SP),
they are not going to use it. CLARIN people are coming to the IRISC
workshop to repeat this statement, and their speak is scheduled right
after Valter's eduGAIN presentation. ;)
>> Cheers,
>> mikael


David W. Chadwick, BSc PhD
Professor of Information Systems Security
School of Computing, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick@xxxxxxxxxx
Home Page:
Research Web site:
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5



David W. Chadwick, BSc PhD
Professor of Information Systems Security
School of Computing, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick@xxxxxxxxxx
Home Page:
Research Web site:
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5