Refeds


Subject Re: draft charge, refeds working group on attribute release
From Nicole Harris <nicole.harris@xxxxxxxxxxxxxxxxx>
Date Mon, 4 Jul 2011 11:18:14 +0100

Curious to know who is going to foot the bill for making LOA2 the minimum level at which an academic federation can operate David.  That's a hugely expensive audited service.  Is the University of Kent willing to pay for that?  Why should I force a small FE college to that level?

If our SPs weren't happy with the level of assurance we currently provide they wouldn't use the service, end of.  Who is going to pay for something that isn't asked for?

I agree that federations should be able to offer different levels of assurance, but setting the minimum bar at LOA2 is just self-defeating. 

i think what you are missing is that assurance is not always the defining factor in why the service is useful.  There are many many many things a research and education federation can do at very basic levels that facebook cannot do.  Let's not make this about assurance - we are actually supposed to be discussing attribute release in this thread. 


On 1 Jul 2011, at 21:01, David Chadwick wrote:

> But once they have added all the crypto to JSON it wont be any simpler 
> than XML, which is what they are trying to get away from.
> 
> David
> 
> On 01/07/2011 20:00, Lucy Lynch wrote:
>> On Fri, 1 Jul 2011, David Chadwick wrote:
>> 
>>> I think we should accept that Facebook and its Authn API forms the
>>> basic LOA 1 federation of the Internet. No assurance, no validity of
>>> user claims. But they will (almost always) come from the same user as
>>> self asserted attributes.
>>> 
>>> Where academic federations can add real value is by moving to LOA 2
>>> and making that the basic minimum necessary to join. This adds real
>>> assurance to SPs. (Nicole. this may be where we diverge in opinion I
>>> believe, since the UK AMF does not provide such assurance. It should).
>> 
>> Folks may want to take a look at the current OpenID Connect work and
>> the plans for combining this extended model with OAuth and JSON based
>> tokens:
>> 
>> OpenID Connect
>> http://openidconnect.com/
>> 
>> Current OAuth 2.0 draft
>> http://tools.ietf.org/html/draft-ietf-oauth-v2-16
>> 
>> WOES - Web Object Encryption and Signing
>> Draft Charter:
>> http://www.ietf.org/mail-archive/web/woes/current/msg00077.html
>> Drafts: http://datatracker.ietf.org/doc/draft-rescorla-jsms/
>> http://datatracker.ietf.org/doc/draft-jones-json-web-signature/
>> https://datatracker.ietf.org/doc/draft-jones-json-web-token/
>> 
>> - Lucy
>> 
>> 
>> 
>>> regards
>>> 
>>> David
>>> 
>>> 
>>> On 01/07/2011 09:11, Licia Florio wrote:
>>>> Hi Mikael,
>>>> 
>>>> I think you provided a very good summary of the discussion so far.
>>>> 
>>>> I think federations are not there to compete with facebook (and alike),
>>>> although if a user-community being in the position to choose decided to
>>>> go for facebook, then maybe federations should wonder if their
>>> marketing
>>>> is good enough.
>>>> 
>>>> I do believe that it is important for REFEDS (especially in light of
>>>> inter-federation discussion) to engage with different communities
>>> and at
>>>> least try to explain to them the benefits of using NRENs federations,
>>>> but ultimately it will be up to them to decide.
>>>> 
>>>> We do know that especially for SPs offering their services to different
>>>> federations can be a pain, so maybe we should try and make some of the
>>>> processes easier.
>>>> 
>>>> So I think the message for the IRISC workshop in September should
>>>> something like "this is what you get using id-federations;
>>>> id-federations are happy to support you; this is what you get using
>>>> openId-facebook, up to you to decide". I don't think there is much more
>>>> we can do really.
>>>> 
>>>> cheers,
>>>> Licia
>>>> 
>>>>> Hi,
>>>>> A few comments on some mails on the list today.
>>>>> 
>>>>> People have doubts if we should put at all effort on making our
>>> federations serve the researchers' needs. As long as our federations
>>> are operated by NRENs (Research and Education Networks) I can't
>>> imagine any other answer than yes we should. As Leif and David wrote,
>>> it's an opportunity for us.
>>>>> 
>>>>> Nicole wrote that there are just few scientific resources in any
>>> federations. True, but in Kalmar union, I have realized that the
>>> scientific resources' weight grows in an interfederation, because
>>> research is international and the researchers from different countries
>>> collaborate and share scientific resources (such as data, services,
>>> machines, instruments...). When the CLARIN community (the language
>>> research network, www.clarin.eu) heard of Kalmar, they registered SPs
>>> to it even from Germany and the Netherlands. Via Kalmar, they get all
>>> the Nordic linguists to their SPs. I have started to believe that
>>> scientific resources will be the killer application for
>>> interfederation and we should study them more.
>>>>> 
>>>>> I agree with Nicole that if the researchers are happy with
>>> OpenID/Facebook identities, then we don't need to care about them. But
>>> OpenID can't provide reliable LOA and affiliation attributes, which
>>> makes researchers need our federations. Josh said affiliation
>>> attribute is interesting just for publishers. I would add that also
>>> researchers are interested in affiliation, because several scientific
>>> resources are permitted only for research use (ePA=faculty).
>>>>> 
>>>>> Chad wrote the researchers should come to us with firm
>>> requirements. True, but we should help them to articulate those
>>> requirements, because we are the experts in identity and federations.
>>> We needed more structured discussion with them. Facilitating that
>>> discussion has been a motivation for the IRISC workshop
>>> (http://irisc-workshop.org/irisc2011-helsinki/) in September next to
>>> the REFEDS meeting. Hopefully I'll see many federations people there,
>>> as well.
>>>>> 
>>>>> Nicole wanted evidence that research communities want a simple
>>> customer experience. I have been talking with the CLARIN project for a
>>> couple of years (they also visited a TF-EMC2 meeting some years ago).
>>> CLARIN has 7 (in the long run 25) SPs delivering linguistic data to
>>> linguists in 176 IdPs which spread all over Europe. CLARIN has made a
>>> statement that as long as eduGAIN (or any other interfederation) has
>>> an opt-in process for downlink metadata (i.e. an SP admin needs to
>>> persuade 176 IdP admins to configure attribute release to their SP),
>>> they are not going to use it. CLARIN people are coming to the IRISC
>>> workshop to repeat this statement, and their speak is scheduled right
>>> after Valter's eduGAIN presentation. ;)
>>>>> 
>>>>> Cheers,
>>>>> mikael
>>>>> 
>>>> 
>>>> 
>>> 
>>> --
>>> 
>>> *****************************************************************
>>> David W. Chadwick, BSc PhD
>>> Professor of Information Systems Security
>>> School of Computing, University of Kent, Canterbury, CT2 7NF
>>> Skype Name: davidwchadwick
>>> Tel: +44 1227 82 3221
>>> Fax +44 1227 762 811
>>> Mobile: +44 77 96 44 7184
>>> Email: D.W.Chadwick@xxxxxxxxxx
>>> Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
>>> Research Web site:
>>> http://www.cs.kent.ac.uk/research/groups/iss/index.html
>>> Entrust key validation string: MLJ9-DU5T-HV8J
>>> PGP Key ID is 0xBC238DE5
>>> 
>>> *****************************************************************
>>> 
>> 
> 
> -- 
> 
> *****************************************************************
> David W. Chadwick, BSc PhD
> Professor of Information Systems Security
> School of Computing, University of Kent, Canterbury, CT2 7NF
> Skype Name: davidwchadwick
> Tel: +44 1227 82 3221
> Fax +44 1227 762 811
> Mobile: +44 77 96 44 7184
> Email: D.W.Chadwick@xxxxxxxxxx
> Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
> Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html
> Entrust key validation string: MLJ9-DU5T-HV8J
> PGP Key ID is 0xBC238DE5
> 
> *****************************************************************