...
| Questions | |
|---|---|
| 1 | There is a signed JWKS endpoint (signed_jwks_uri) we might want to require, rather than just TLS in the normal JWKS endpoint. Maybe we want to require that? |
| 2 | A policy operates by performing a check, a modification, or both on a given metadata parameter. We currently have limited abilities to perform some of the checks discussed. |
| 3 | Is the term member used consistently in the document? |
| 4 | NOTE: metadata_policy_crit OPTIONAL. Array of strings specifying critical metadata policy operators other than the standard ones defined in Section 6.1.3.1 that MUST be understood and processed. When included its value MUST NOT be the empty array []. If any of the listed policy operators are not understood and supported, then the Subordinate Statement and thus the Trust Chain that includes it MUST be considered invalid |
- Report on slack conversation regarding registration and scopes.
...
How do we know how to police this? We can say that .ac.uk goes should probably go to UK but .edu? Or a Norwegian school registered in Feide with a .acorg.uk domain. ?
Should eduGAIN maintain an ALLOW list like we do with eduroam? This is challenging. We trust federation operators to do this, but this then changes when we have different entities published. We are purely reactive on scpe scope checking.
How can we realistically change this and what checking can we request?
...