Refeds


Subject Re: draft charge, refeds working group on attribute release
From David Chadwick <d.w.chadwick@xxxxxxxxxx>
Date Mon, 04 Jul 2011 14:17:57 +0100

Hi Nicole

you cannot get away from assurance when discussing attribute release. An
unassured attribute is worthless to an SP for making authz decisions. I
can add any attribute values I want to my OpenID account and they are
all made up. Any system that bases its authz on them will allow anyone
in who knows the correct attribute values.


On 04/07/2011 11:18, Nicole Harris wrote:
Curious to know who is going to foot the bill for making LOA2 the
minimum level at which an academic federation can operate David.

the vast majority are there already.

That's a hugely expensive audited service.

you can have self auditing with occasional spot checks. Which university was it that self audited its student returns? All of them isnt it? Which university cooked its books and fiddled millions out of Jisc? Only one that I am aware of. So self auditing with checks does work. And for fiddling an LOA of 2 the consequences are far less severe than student returns.


  Is the University of Kent
willing to pay for that?

we are already at that level. Everyone (including myself) has to provide a passport to register as a staff or student. Even when internationally known. No exceptions. And our password regime is way above the minimum that is required for level 2. I think you will find that most universities are already at level 2.

 Why should I force a small FE college to
that level?

they ought to know who their staff and students are already. But I agree that many have IT systems that are not the best they could be.


If our SPs weren't happy with the level of assurance we currently
provide they wouldn't use the service, end of.

But which SPs are you losing that are not satisfied? You cant use the statistic of satisfied existing customers, but rather you need to know the statistic of potential customers that you currently dont have.


 Who is going to pay
for something that isn't asked for?

This was uttered by the guy who sold linoleum shortly before he went out of business to other shops who sold cushion floor :-)



I agree that federations should be able to offer different levels of
assurance, but setting the minimum bar at LOA2 is just
self-defeating.

How many existing IdPs have not self asserted at 2 already?
You can tell from the metadata I believe.


i think what you are missing is that assurance is not always the
defining factor in why the service is useful.  There are many many
many things a research and education federation can do at very basic
levels that facebook cannot do.

But there are more things that facebook can do which the uk amf cannot. E.g. I cannot give access to my wife to see my document in the cloud storage, since she does not have a UK amf un/pw. But she can access it, if we would allow authn by Facebook (which we showed at the last EMC2 meeting if you remember - a product from the logins4life JISC funded project which we have now adapted for access to cloud storage under our existing JISC funded project :-).

regards

David



 Let's not make this about assurance
- we are actually supposed to be discussing attribute release in this
thread.


On 1 Jul 2011, at 21:01, David Chadwick wrote:

But once they have added all the crypto to JSON it wont be any
simpler than XML, which is what they are trying to get away from.

David

On 01/07/2011 20:00, Lucy Lynch wrote:
On Fri, 1 Jul 2011, David Chadwick wrote:

I think we should accept that Facebook and its Authn API forms
the basic LOA 1 federation of the Internet. No assurance, no
validity of user claims. But they will (almost always) come
from the same user as self asserted attributes.

Where academic federations can add real value is by moving to
LOA 2 and making that the basic minimum necessary to join. This
adds real assurance to SPs. (Nicole. this may be where we
diverge in opinion I believe, since the UK AMF does not provide
such assurance. It should).

Folks may want to take a look at the current OpenID Connect work
and the plans for combining this extended model with OAuth and
JSON based tokens:

OpenID Connect http://openidconnect.com/

Current OAuth 2.0 draft
http://tools.ietf.org/html/draft-ietf-oauth-v2-16

WOES - Web Object Encryption and Signing Draft Charter:
http://www.ietf.org/mail-archive/web/woes/current/msg00077.html
Drafts: http://datatracker.ietf.org/doc/draft-rescorla-jsms/
http://datatracker.ietf.org/doc/draft-jones-json-web-signature/
https://datatracker.ietf.org/doc/draft-jones-json-web-token/

- Lucy



regards

David


On 01/07/2011 09:11, Licia Florio wrote:
Hi Mikael,

I think you provided a very good summary of the discussion so
far.

I think federations are not there to compete with facebook
(and alike), although if a user-community being in the
position to choose decided to go for facebook, then maybe
federations should wonder if their
marketing
is good enough.

I do believe that it is important for REFEDS (especially in
light of inter-federation discussion) to engage with
different communities
and at
least try to explain to them the benefits of using NRENs
federations, but ultimately it will be up to them to decide.

We do know that especially for SPs offering their services to
different federations can be a pain, so maybe we should try
and make some of the processes easier.

So I think the message for the IRISC workshop in September
should something like "this is what you get using
id-federations; id-federations are happy to support you; this
is what you get using openId-facebook, up to you to decide".
I don't think there is much more we can do really.

cheers, Licia

Hi, A few comments on some mails on the list today.

People have doubts if we should put at all effort on making
our
federations serve the researchers' needs. As long as our
federations are operated by NRENs (Research and Education
Networks) I can't imagine any other answer than yes we should.
As Leif and David wrote, it's an opportunity for us.

Nicole wrote that there are just few scientific resources
in any
federations. True, but in Kalmar union, I have realized that
the scientific resources' weight grows in an interfederation,
because research is international and the researchers from
different countries collaborate and share scientific resources
(such as data, services, machines, instruments...). When the
CLARIN community (the language research network, www.clarin.eu)
heard of Kalmar, they registered SPs to it even from Germany
and the Netherlands. Via Kalmar, they get all the Nordic
linguists to their SPs. I have started to believe that
scientific resources will be the killer application for
interfederation and we should study them more.

I agree with Nicole that if the researchers are happy with
OpenID/Facebook identities, then we don't need to care about
them. But OpenID can't provide reliable LOA and affiliation
attributes, which makes researchers need our federations. Josh
said affiliation attribute is interesting just for publishers.
I would add that also researchers are interested in
affiliation, because several scientific resources are permitted
only for research use (ePA=faculty).

Chad wrote the researchers should come to us with firm
requirements. True, but we should help them to articulate
those requirements, because we are the experts in identity and
federations. We needed more structured discussion with them.
Facilitating that discussion has been a motivation for the
IRISC workshop (http://irisc-workshop.org/irisc2011-helsinki/)
in September next to the REFEDS meeting. Hopefully I'll see
many federations people there, as well.

Nicole wanted evidence that research communities want a
simple
customer experience. I have been talking with the CLARIN
project for a couple of years (they also visited a TF-EMC2
meeting some years ago). CLARIN has 7 (in the long run 25) SPs
delivering linguistic data to linguists in 176 IdPs which
spread all over Europe. CLARIN has made a statement that as
long as eduGAIN (or any other interfederation) has an opt-in
process for downlink metadata (i.e. an SP admin needs to
persuade 176 IdP admins to configure attribute release to their
SP), they are not going to use it. CLARIN people are coming to
the IRISC workshop to repeat this statement, and their speak is
scheduled right after Valter's eduGAIN presentation. ;)

Cheers, mikael




--

*****************************************************************


David W. Chadwick, BSc PhD
Professor of Information Systems Security School of Computing,
University of Kent, Canterbury, CT2 7NF Skype Name:
davidwchadwick Tel: +44 1227 82 3221 Fax +44 1227 762 811
Mobile: +44 77 96 44 7184 Email: D.W.Chadwick@xxxxxxxxxx Home
Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site:
http://www.cs.kent.ac.uk/research/groups/iss/index.html Entrust
key validation string: MLJ9-DU5T-HV8J PGP Key ID is 0xBC238DE5

*****************************************************************





--

*****************************************************************
David W. Chadwick, BSc PhD Professor of Information Systems
Security School of Computing, University of Kent, Canterbury, CT2
7NF Skype Name: davidwchadwick Tel: +44 1227 82 3221 Fax +44 1227
762 811 Mobile: +44 77 96 44 7184 Email: D.W.Chadwick@xxxxxxxxxx
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site:
http://www.cs.kent.ac.uk/research/groups/iss/index.html Entrust key
validation string: MLJ9-DU5T-HV8J PGP Key ID is 0xBC238DE5

*****************************************************************



--

*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
School of Computing, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick@xxxxxxxxxx
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5

*****************************************************************