Subject Re: mari plan & next steps
From Jaime Pérez Crespo <jaime.perez@xxxxxxxxxx>
Date Wed, 29 Oct 2014 16:33:35 +0100


> On 29 Oct 2014, at 16:06 pm, Peter Schober <peter.schober@xxxxxxxxxxxx> wrote:
> * Leif Johansson <leifj@xxxxxxxx> [2014-10-29 15:48]:
>> Experience from SPs that have begun to suck at the fire hose of
>> interfederation seems to be that as the number of federations grow, the
>> list of RequestedAttribute elements grow to the union of what is needed
>> to fulfil the recommendations and practice of all federations.
>> At best this violates the minimality principle and at worst causes
>> breakage since the RequestedAttribute practice of one federation is
>> often incompatible with that of the next federation. Experience shows
>> that breakage occurs after only a small number of connected
>> federations (I have example breakage at <3 federations).
> I'd be interested in more (any, really) concrete examples of that kind
> of breakage, to substantiate the claim of the massive scope of that
> problem.  (I'm probaby just lacking that experience, and imagination.)

I can only support Leif on this. This is a problem that has bitten us in Feide a couple of times already. Specific example: an SP connected through WAYF to Kalmar2 wants to connect to Feide, and they ask for some attribute we don’t provide (or is not really extended among our institutions). We offer them using eduPersonPrincipalName for that, as that’s mandatory in Feide and will provide equivalent semantics for them. Unfortunately, WAYF’s policy refuses to allow them to ask for that attribute because they consider it sensitive.

So we both use the same attribute with same semantics, but for them it is sensitive while we use it for everything. Probably their policy is right and ours is wrong, but it’s not going to change in the near future (and I doubt it will ever change, given the amount of work it will mean), so the result is that norwegian users cannot use that service unless the service pays the fee to join Feide directly (and that leads to… well, you see where this is going).

>> The reason the problem occurs is that federations don't agree on the
>> semantic and use of attributes. Furthermore it seems unlikely that
>> we'll be able to align attribute semantics globally.
> Personally I'd very much prefer to tackle harmonization and alignment
> (possibly at the same time, given concrete problems to chew on) as
> doing that would also solve the problem for the SP, which in the
> proposal still is stuck having to deal with all the incompatible crap
> that seems to be floating around, as you acknoledge:

Unfortunately harmonization is not always feasible, I think. It’s not only about using different semantics for an attribute, but also about giving them different considerations and even security or privacy features. Not everybody is going to agree on the same things, and even if we do, local laws may forbid certain uses.

Jaime Pérez
mail: jaime.perez@xxxxxxxxxx
xmpp: jaime@xxxxxxxxxxxxxxxxx

"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost