...
| Title | Storing History and Evolution of Metadata in a Distributed Ledger |
|---|---|
| Description | The aggregated metadata of eduGAIN is under constant change as entities get added, removed, or changed. While daily backups are made, there is no event-based changelog and no trace of which change was made when. When an entry of interest is examined, the search for the exact event timestamps of changes pertaining to that entry are tedious by searching old copies of the entity database manually. The proposed system stores any change to the metadata aggregate one-by-one in a ledger as soon as it happens. That way, even intra-day changes (between daily database backups) can be observed and a "rewind" of the entity list to specific point in time becomes simple. For improved traceability of any changes, the ledger can be made distributed and authenticated in the way that both the publishing eduGAIN participant (sending side) and the eduGAIN OT (receiving side) both sign the change in a distributed ledger. The ledger would be distributed so that each eduGAIN federation maintains a copy. With that, changes made automatically synchronise between federations and a manual polling of per-participant feeds (by eduGAIN OT) as well as a periodic download of the aggregate (by eduGAIN participants) becomes superfluous. eduGAIN OT still maintains its role as metadata policy verifier by signing only such changes in metadata which result in eduGAIN policy conformant metadata. As a positive side-effect, this changes the granularity of metadata rejection from a per-participant (country-wide) effect to a per-entity effect, reducing outages due to metadata of entire participant federations vanishing. The solution developed here is not limited to eduGAIN exclusively; it can also be used inside a federation to collect and sign individual pieces of metadata, thereby assembling its own metadata set in the same way. Where IdPs or SP choose to maintain a copy of the ledger, they can immediately and in real-time see any changes and implement them in their entity; resulting in an experience similar to the MDX proposal above. They can choose to incorporate only entries signed by their own federation, or a superset to their liking. |
| Proposer | Stefan Winter (RESTENA) |
| Resource Requirements | VMs, storage for the ledger, a blockchain implementation, someone to work on that so it fits our needs |
| +1's |
| Title | Scope verification based on DNS |
|---|---|
| Description | The scope part of attributes means critical security context for many applications. Currently the only way for an SP to check whether an IdP is allowed to use a scope is based on verification of shibmd:Scope metadata extension. As metadata might originate from a massive number of sources, an organization and/or an SP might want to provide additional means to verify scope usage. If the scope equals to a real domain name, it can be easily implemented by adding TXT records to the domain record that describe the allowed entityIDs which can assert the scope. (Similar to SPF - Sender Policy Framework.) This should be an optional measure in addition to existing metadata-based scope verification technique. |
| Proposer | Kristof Bajnok (eduID.hu) |
| Resource requirements | standardization - REFEDs? implementation for Shibboleth and SimpleSAMLphp |
| +1's | <for others to voice their support - add your name here> |
| Title | Adoption & Outreach Support for eduGAIN BCP |
|---|---|
| Description | BCP for eduGAIN will be launched in 2018. Federations should be supported to gain adoption by campuses |
| Proposer | Ann H on behalf of several |
| Resource requirements | Funding for outreach and adoption efforts at each GEANT partner, strategic/materials support for all. |
| +1's | <for others to voice their support - add your name here> |
You do not have to fill in every field, just give as much detail as you have right now if you know them.