Refeds


Subject Re: draft charge, refeds working group on attribute release
From Nicole Harris <Nicole.Harris@xxxxxxxxxxxxxxxxx>
Date Mon, 4 Jul 2011 15:27:56 +0100

Sorry David but I think your analysis of a university's ability to reach LOA2 is wildly inaccurate, and I say this with some authority, having a reasonably good view of the opinions of Uk institutions on this from my job role and from surveys undertaken by JISC and the UK federation.  I will also repeat that our remit is not just for higher education institutions. 

I'm more than willing to get the UK to a position where the UK federation CAN offer LOA2, but I would never agree to it refusing to service the lower levels.  I don't see how that helps anyone.  if you would like to ignore everyone under that LOA you are more than welcome to.  

I would point out that your wife probably could access your 'cloud' service through the UK federation if she chose to use one of the open identity providers we have integrated such as typekey - although this is effectively an LOA 0 service, so in your analysis, we should't be offering it.  There's also nothing stopping anyone for proposing to the UK federation that it allow facebook authentication, I'd suggest you raise this with the service if you feel it is a requirement for your institution. 

However, if our 864 members want to go and procure services elsewhere that is absolutely fine by us.  It would free up service money to be spent elsewhere.  The JISC Portfolio review process is there to make sure we only offer people the services they want.  If there is service level demand for your service, I'm sure it will be considered via the same channels. 

On 4 Jul 2011, at 14:17, David Chadwick wrote:

> Hi Nicole
> 
> you cannot get away from assurance when discussing attribute release. An
> unassured attribute is worthless to an SP for making authz decisions. I
> can add any attribute values I want to my OpenID account and they are
> all made up. Any system that bases its authz on them will allow anyone
> in who knows the correct attribute values.
> 
> 
> On 04/07/2011 11:18, Nicole Harris wrote:
>> Curious to know who is going to foot the bill for making LOA2 the
>> minimum level at which an academic federation can operate David.
> 
> the vast majority are there already.
> 
>> That's a hugely expensive audited service.
> 
> you can have self auditing with occasional spot checks. Which university
> was it that self audited its student returns? All of them isnt it? Which
> university cooked its books and fiddled millions out of Jisc? Only one
> that I am aware of. So self auditing with checks does work. And for
> fiddling an LOA of 2 the consequences are far less severe than student
> returns.
> 
> 
>   Is the University of Kent
>> willing to pay for that?
> 
> we are already at that level. Everyone (including myself) has to provide
> a passport to register as a staff or student. Even when internationally
> known. No exceptions. And our password regime is way above the minimum
> that is required for level 2. I think you will find that most
> universities are already at level 2.
> 
>  Why should I force a small FE college to
>> that level?
> 
> they ought to know who their staff and students are already. But I agree
> that many have IT systems that are not the best they could be.
> 
>> 
>> If our SPs weren't happy with the level of assurance we currently
>> provide they wouldn't use the service, end of.
> 
> But which SPs are you losing that are not satisfied? You cant use the
> statistic of satisfied existing customers, but rather you need to know
> the statistic of potential customers that you currently dont have.
> 
> 
>  Who is going to pay
>> for something that isn't asked for?
> 
> This was uttered by the guy who sold linoleum shortly before he went out
> of business to other shops who sold cushion floor :-)
> 
> 
>> 
>> I agree that federations should be able to offer different levels of
>> assurance, but setting the minimum bar at LOA2 is just
>> self-defeating.
> 
> How many existing IdPs have not self asserted at 2 already?
> You can tell from the metadata I believe.
> 
>> 
>> i think what you are missing is that assurance is not always the
>> defining factor in why the service is useful.  There are many many
>> many things a research and education federation can do at very basic
>> levels that facebook cannot do.
> 
> But there are more things that facebook can do which the uk amf cannot.
> E.g. I cannot give access to my wife to see my document in the cloud
> storage, since she does not have a UK amf un/pw. But she can access it,
> if we would allow authn by Facebook (which we showed at the last EMC2
> meeting if you remember - a product from the logins4life JISC funded
> project which we have now adapted for access to cloud storage under our
> existing JISC funded project :-).
> 
> regards
> 
> David
> 
> 
> 
>  Let's not make this about assurance
>> - we are actually supposed to be discussing attribute release in this
>> thread.
>> 
>> 
>> On 1 Jul 2011, at 21:01, David Chadwick wrote:
>> 
>>> But once they have added all the crypto to JSON it wont be any
>>> simpler than XML, which is what they are trying to get away from.
>>> 
>>> David
>>> 
>>> On 01/07/2011 20:00, Lucy Lynch wrote:
>>>> On Fri, 1 Jul 2011, David Chadwick wrote:
>>>> 
>>>>> I think we should accept that Facebook and its Authn API forms
>>>>> the basic LOA 1 federation of the Internet. No assurance, no
>>>>> validity of user claims. But they will (almost always) come
>>>>> from the same user as self asserted attributes.
>>>>> 
>>>>> Where academic federations can add real value is by moving to
>>>>> LOA 2 and making that the basic minimum necessary to join. This
>>>>> adds real assurance to SPs. (Nicole. this may be where we
>>>>> diverge in opinion I believe, since the UK AMF does not provide
>>>>> such assurance. It should).
>>>> 
>>>> Folks may want to take a look at the current OpenID Connect work
>>>> and the plans for combining this extended model with OAuth and
>>>> JSON based tokens:
>>>> 
>>>> OpenID Connect http://openidconnect.com/
>>>> 
>>>> Current OAuth 2.0 draft
>>>> http://tools.ietf.org/html/draft-ietf-oauth-v2-16
>>>> 
>>>> WOES - Web Object Encryption and Signing Draft Charter:
>>>> http://www.ietf.org/mail-archive/web/woes/current/msg00077.html
>>>> Drafts: http://datatracker.ietf.org/doc/draft-rescorla-jsms/
>>>> http://datatracker.ietf.org/doc/draft-jones-json-web-signature/
>>>> https://datatracker.ietf.org/doc/draft-jones-json-web-token/
>>>> 
>>>> - Lucy
>>>> 
>>>> 
>>>> 
>>>>> regards
>>>>> 
>>>>> David
>>>>> 
>>>>> 
>>>>> On 01/07/2011 09:11, Licia Florio wrote:
>>>>>> Hi Mikael,
>>>>>> 
>>>>>> I think you provided a very good summary of the discussion so
>>>>>> far.
>>>>>> 
>>>>>> I think federations are not there to compete with facebook
>>>>>> (and alike), although if a user-community being in the
>>>>>> position to choose decided to go for facebook, then maybe
>>>>>> federations should wonder if their
>>>>> marketing
>>>>>> is good enough.
>>>>>> 
>>>>>> I do believe that it is important for REFEDS (especially in
>>>>>> light of inter-federation discussion) to engage with
>>>>>> different communities
>>>>> and at
>>>>>> least try to explain to them the benefits of using NRENs
>>>>>> federations, but ultimately it will be up to them to decide.
>>>>>> 
>>>>>> We do know that especially for SPs offering their services to
>>>>>> different federations can be a pain, so maybe we should try
>>>>>> and make some of the processes easier.
>>>>>> 
>>>>>> So I think the message for the IRISC workshop in September
>>>>>> should something like "this is what you get using
>>>>>> id-federations; id-federations are happy to support you; this
>>>>>> is what you get using openId-facebook, up to you to decide".
>>>>>> I don't think there is much more we can do really.
>>>>>> 
>>>>>> cheers, Licia
>>>>>> 
>>>>>>> Hi, A few comments on some mails on the list today.
>>>>>>> 
>>>>>>> People have doubts if we should put at all effort on making
>>>>>>> our
>>>>> federations serve the researchers' needs. As long as our
>>>>> federations are operated by NRENs (Research and Education
>>>>> Networks) I can't imagine any other answer than yes we should.
>>>>> As Leif and David wrote, it's an opportunity for us.
>>>>>>> 
>>>>>>> Nicole wrote that there are just few scientific resources
>>>>>>> in any
>>>>> federations. True, but in Kalmar union, I have realized that
>>>>> the scientific resources' weight grows in an interfederation,
>>>>> because research is international and the researchers from
>>>>> different countries collaborate and share scientific resources
>>>>> (such as data, services, machines, instruments...). When the
>>>>> CLARIN community (the language research network, www.clarin.eu)
>>>>> heard of Kalmar, they registered SPs to it even from Germany
>>>>> and the Netherlands. Via Kalmar, they get all the Nordic
>>>>> linguists to their SPs. I have started to believe that
>>>>> scientific resources will be the killer application for
>>>>> interfederation and we should study them more.
>>>>>>> 
>>>>>>> I agree with Nicole that if the researchers are happy with
>>>>> OpenID/Facebook identities, then we don't need to care about
>>>>> them. But OpenID can't provide reliable LOA and affiliation
>>>>> attributes, which makes researchers need our federations. Josh
>>>>> said affiliation attribute is interesting just for publishers.
>>>>> I would add that also researchers are interested in
>>>>> affiliation, because several scientific resources are permitted
>>>>> only for research use (ePA=faculty).
>>>>>>> 
>>>>>>> Chad wrote the researchers should come to us with firm
>>>>> requirements. True, but we should help them to articulate
>>>>> those requirements, because we are the experts in identity and
>>>>> federations. We needed more structured discussion with them.
>>>>> Facilitating that discussion has been a motivation for the
>>>>> IRISC workshop (http://irisc-workshop.org/irisc2011-helsinki/)
>>>>> in September next to the REFEDS meeting. Hopefully I'll see
>>>>> many federations people there, as well.
>>>>>>> 
>>>>>>> Nicole wanted evidence that research communities want a
>>>>>>> simple
>>>>> customer experience. I have been talking with the CLARIN
>>>>> project for a couple of years (they also visited a TF-EMC2
>>>>> meeting some years ago). CLARIN has 7 (in the long run 25) SPs
>>>>> delivering linguistic data to linguists in 176 IdPs which
>>>>> spread all over Europe. CLARIN has made a statement that as
>>>>> long as eduGAIN (or any other interfederation) has an opt-in
>>>>> process for downlink metadata (i.e. an SP admin needs to
>>>>> persuade 176 IdP admins to configure attribute release to their
>>>>> SP), they are not going to use it. CLARIN people are coming to
>>>>> the IRISC workshop to repeat this statement, and their speak is
>>>>> scheduled right after Valter's eduGAIN presentation. ;)
>>>>>>> 
>>>>>>> Cheers, mikael
>>>>>>> 
>>>>>> 
>>>>>> 
>>>>> 
>>>>> --
>>>>> 
>>>>> *****************************************************************
>>>>> 
>>>>> 
> David W. Chadwick, BSc PhD
>>>>> Professor of Information Systems Security School of Computing,
>>>>> University of Kent, Canterbury, CT2 7NF Skype Name:
>>>>> davidwchadwick Tel: +44 1227 82 3221 Fax +44 1227 762 811
>>>>> Mobile: +44 77 96 44 7184 Email: D.W.Chadwick@xxxxxxxxxx Home
>>>>> Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
>>>>> Research Web site:
>>>>> http://www.cs.kent.ac.uk/research/groups/iss/index.html Entrust
>>>>> key validation string: MLJ9-DU5T-HV8J PGP Key ID is 0xBC238DE5
>>>>> 
>>>>> *****************************************************************
>>>>> 
>>>> 
>>> 
>>> 
>>>>> 
> --
>>> 
>>> *****************************************************************
>>> David W. Chadwick, BSc PhD Professor of Information Systems
>>> Security School of Computing, University of Kent, Canterbury, CT2
>>> 7NF Skype Name: davidwchadwick Tel: +44 1227 82 3221 Fax +44 1227
>>> 762 811 Mobile: +44 77 96 44 7184 Email: D.W.Chadwick@xxxxxxxxxx
>>> Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
>>> Research Web site:
>>> http://www.cs.kent.ac.uk/research/groups/iss/index.html Entrust key
>>> validation string: MLJ9-DU5T-HV8J PGP Key ID is 0xBC238DE5
>>> 
>>> *****************************************************************
>> 
>> 
> 
> --
> 
> *****************************************************************
> David W. Chadwick, BSc PhD
> Professor of Information Systems Security
> School of Computing, University of Kent, Canterbury, CT2 7NF
> Skype Name: davidwchadwick
> Tel: +44 1227 82 3221
> Fax +44 1227 762 811
> Mobile: +44 77 96 44 7184
> Email: D.W.Chadwick@xxxxxxxxxx
> Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
> Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html
> Entrust key validation string: MLJ9-DU5T-HV8J
> PGP Key ID is 0xBC238DE5
> 
> *****************************************************************