Refeds


Subject Re: draft charge, refeds working group on attribute release
From David Chadwick <d.w.chadwick@xxxxxxxxxx>
Date Mon, 04 Jul 2011 18:31:58 +0100

Hi Robin

I dont know if this is causing confusion or not, but a federation without a trust infastructure, ie running at LoA 1, and is no different to organisations simply connecting together over the normal Internet. And you dont need a federation for this, just technical protocol specifications.

What I think is needed are two things

i) implemented support for passing the LoA in protocol between the IdP and SP (I mean that the LOA is actually being sent in practice, not just support on paper for how it can be done, which is what we have today)

ii) an intermediate level of assurance between 1 and 2 which lowers the threshold for joining the federation, and can therefore differentiate between Facebook self asserted attributes (at LoA 1) and University asserted ones (at n, where n is 1<n<2 )

regards

David


On 04/07/2011 17:56, Robin Wilton wrote:
Am I right in thinking that a possible source of LoA confusion may arise
out of the fact that, IIRC, the NIST specifications (as David says) go
from LOA 1 to LOA 4... but the UK Govt model runs from LOA 0 to LOA
3...?

Just wanted to check, as I know this tripped us up a couple of times in
the Kantara work groups.

Yrs.,
Robin




On Mon, 04 Jul 2011 17:19 +0100, "David Chadwick"
<d.w.chadwick@xxxxxxxxxx>  wrote:
Hi Nicole

from your previous email, you seem to think that there is a difference
between LoA 1 and LoA 0, but there isnt. Zero does not exist in the NIST
scheme and 1 is equivalent to zero. Therefore if a university only
offers LoA 1 it is at the same assurance level that Facebook, Google,
OpenID etc. offer (until finer granularity is added to the scheme, which
I have been arguing for for ages, but we are not there yet).

I am arguing that universities ought to be able to do better than zero
assurance, in order to add more value to their assertions, and I believe
that the majority of the UK IdPs already do. Therefore the bar ought to
be raised to this level for all IdPs. This level is level 2, and it is
not as onerous as I think you think it is.

regards

David


On 04/07/2011 17:05, Nicole Harris wrote:
Licia

i think that was exactly what i was arguing for.  David was arguing
in favour of raising the bar to ONLY allow institutions that can do
LOA2 and above in to federations.  i'm arguing that we have to
provide both low level and high level assurance to meet all the
requirements of our community.  Perhaps I'm coming out too strongly
in favour of the small organisations rather than e-science, but they
need someone to argue for them.

I also think you may have missed a strong dose of english sarcasm ;-)
I actually meant the exact opposite, it is highly unlikely that a
service with that many members is offering something that is so out
of tune with its user's needs as David suggest.  Sorry, i should know
the danger of being too colloquial on a multi-lingual list.

N


On 4 Jul 2011, at 16:23, Licia Florio wrote:

Hi Nicole,


However, if our 864 members want to go and procure services
elsewhere that is absolutely fine by us. It would free up service
money to be spent elsewhere.  The JISC Portfolio review process
is there to make sure we only offer people the services they
want. If there is service level demand for your service, I'm sure
it will be considered via the same channels.

Maybe this would be JISC's position (assuming you are now talking
for JISC), but I'm not sure all NRENs would have an equal casual
approach if all their members would start getting their services
elsewhere ;)

I agree that you want to start offering services that satisfy the
majority of the users, but I think NRENs should try and address
the requirements of all their user-groups. It may not be possible
to offer services to all user-groups (maybe it turns out that some
groups can be better served elsewhere), but I would rather see this
statement as a conclusion than as a starting point.

cheers, Licia



--

*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
School of Computing, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick@xxxxxxxxxx
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site:
http://www.cs.kent.ac.uk/research/groups/iss/index.html
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5

*****************************************************************

Robin Wilton

+44 (0)705 005 2931



--

*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
School of Computing, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick@xxxxxxxxxx
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5

*****************************************************************