Refeds


Subject Re: draft charge, refeds working group on attribute release
From David Chadwick <d.w.chadwick@xxxxxxxxxx>
Date Mon, 04 Jul 2011 19:39:13 +0100

Hi Robin

the confusion is easily avoided by having an internationally standardised attribute type called LOA, with standardised values. Then the type/value is carried in the protocol, rather than simply the value. If countries want to standardise their own attribute types for internal use they are free to do so, and they can then carry these values in protocol between themselves. Cross-border transfer then requires knowledge of country specific attributes, or use of the international standard for trans border messages.

FYI, I was always using the NIST scheme in my messages.

regards

David


On 04/07/2011 19:04, Robin Wilton wrote:
Thanks David -

But I think that illustrates the potential for confusion... do you mean
a US LOA 1 or a UK LOA 1?

Ensuring mutual understanding of which scale is being used is crucial,
not just for the discussion at this stage, but also if you want to be
able to implement the first function you describe; it's comparatively
easy to specify a protocol for exchanging a 1-byte value within a
federation, but if the federation spans the US-UK border, you also have
to ensure semantic interoperability - the participants have to
understand whether a value of "1" in that field is a "1" on the NIST
scaleor a "1" on the UK Cabinet Office/OGC ID Assurance scale....

R

On Mon, 04 Jul 2011 18:31 +0100, "David Chadwick"
<d.w.chadwick@xxxxxxxxxx>  wrote:
Hi Robin

I dont know if this is causing confusion or not, but a federation
without a trust infastructure, ie running at LoA 1, and is no different
to organisations simply connecting together over the normal Internet.
And you dont need a federation for this, just technical protocol
specifications.

What I think is needed are two things

i) implemented support for passing the LoA in protocol between the IdP
and SP (I mean that the LOA is actually being sent in practice, not just
support on paper for how it can be done, which is what we have today)

ii) an intermediate level of assurance between 1 and 2 which lowers the
threshold for joining the federation, and can therefore differentiate
between Facebook self asserted attributes (at LoA 1) and University
asserted ones (at n, where n is 1<n<2 )

regards

David


On 04/07/2011 17:56, Robin Wilton wrote:
Am I right in thinking that a possible source of LoA confusion may arise
out of the fact that, IIRC, the NIST specifications (as David says) go
from LOA 1 to LOA 4... but the UK Govt model runs from LOA 0 to LOA
3...?

Just wanted to check, as I know this tripped us up a couple of times in
the Kantara work groups.

Yrs.,
Robin




On Mon, 04 Jul 2011 17:19 +0100, "David Chadwick"
<d.w.chadwick@xxxxxxxxxx>   wrote:
Hi Nicole

from your previous email, you seem to think that there is a difference
between LoA 1 and LoA 0, but there isnt. Zero does not exist in the NIST
scheme and 1 is equivalent to zero. Therefore if a university only
offers LoA 1 it is at the same assurance level that Facebook, Google,
OpenID etc. offer (until finer granularity is added to the scheme, which
I have been arguing for for ages, but we are not there yet).

I am arguing that universities ought to be able to do better than zero
assurance, in order to add more value to their assertions, and I believe
that the majority of the UK IdPs already do. Therefore the bar ought to
be raised to this level for all IdPs. This level is level 2, and it is
not as onerous as I think you think it is.

regards

David


On 04/07/2011 17:05, Nicole Harris wrote:
Licia

i think that was exactly what i was arguing for.  David was arguing
in favour of raising the bar to ONLY allow institutions that can do
LOA2 and above in to federations.  i'm arguing that we have to
provide both low level and high level assurance to meet all the
requirements of our community.  Perhaps I'm coming out too strongly
in favour of the small organisations rather than e-science, but they
need someone to argue for them.

I also think you may have missed a strong dose of english sarcasm ;-)
I actually meant the exact opposite, it is highly unlikely that a
service with that many members is offering something that is so out
of tune with its user's needs as David suggest.  Sorry, i should know
the danger of being too colloquial on a multi-lingual list.

N


On 4 Jul 2011, at 16:23, Licia Florio wrote:

Hi Nicole,


However, if our 864 members want to go and procure services
elsewhere that is absolutely fine by us. It would free up service
money to be spent elsewhere.  The JISC Portfolio review process
is there to make sure we only offer people the services they
want. If there is service level demand for your service, I'm sure
it will be considered via the same channels.

Maybe this would be JISC's position (assuming you are now talking
for JISC), but I'm not sure all NRENs would have an equal casual
approach if all their members would start getting their services
elsewhere ;)

I agree that you want to start offering services that satisfy the
majority of the users, but I think NRENs should try and address
the requirements of all their user-groups. It may not be possible
to offer services to all user-groups (maybe it turns out that some
groups can be better served elsewhere), but I would rather see this
statement as a conclusion than as a starting point.

cheers, Licia



--

*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
School of Computing, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick@xxxxxxxxxx
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site:
http://www.cs.kent.ac.uk/research/groups/iss/index.html
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5

*****************************************************************

Robin Wilton

+44 (0)705 005 2931



--

*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
School of Computing, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick@xxxxxxxxxx
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site:
http://www.cs.kent.ac.uk/research/groups/iss/index.html
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5

*****************************************************************

Robin Wilton

+44 (0)705 005 2931



--

*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
School of Computing, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick@xxxxxxxxxx
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5

*****************************************************************