Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Recommendations (service model discussion)
Have a consistent approach to how federations are expected to publish metadata upstream and downstream
Improve positioning of Seamless Access in relation to eduGAIN
Review eduGAIN mission statement
Consider levels (max 3) that apply to all IdPs (Anon, Pseudon, Personalised) plus CoCo, Sirtfi, Assurance


Baseline RequirementPotential eduGAIN Improvements
[FO1] You focus on trustworthiness of Federation as a primary objective and are transparent about such efforts
  • Inability to filter out an entity
  • Lack of updates regarding FO changes (solved by health check? / audit)
  • Inability to take action over CoCo, Sirtfi, R&S violations
  • Governance structure not fit for purpose
[FO2] You publish contact information and respond in a timely fashion to operational issues
  • Enforce FO security contact
  • Enforce use of non-personal address for "contact"
  • We don't have management contacts
  • Poor response / participation from federations?
  • Do we want to create aliases for each federation? e.g. caf@support.edugain.org?
  • Regular testing of technical contacts as well as security contacts

[FO3] You apply security practices to federation operations and ensure timely incident response

  • Inability to take actions centrally (In particular any complaint about a Member shall be made to the operator of its Participating Federation and dealt with between that Member and that operator according to the rules of that Participating Federation and subject only to that Participating Federation’s governing law and jurisdiction)
  • Lack of ability of eduGAIN to enact emergency changes and sanctions on entities
  • Suspension correlation to eduGAIN “rules”
  • Security of core eduGAIN infrastructure (MDS, websites etc).
  • Ensure that we define timely for eduGAIN
[FO4] You follow good practices to ensure authentic, accurate and interoperable metadata to enable secure and trustworthy federated transactions
  • Inability to offer SPs a guaranteed response from specific IdPs - experience of trying to connect is too varied.
  • Some technical checks are informal (e.g. checking the UK import issues list) and not formalised.
  • Too many different tools, lack of one process for checking metadata issues.
  • What is "accurate" what is "interoperable"?  is "consistent" part of this?
  • Is it just about metadata? about the protocol messages?
  • Overview of the tools and description of what each does (landing page). 
  • Metadata propagation and how we improve
[FO5] You implement and support frameworks that improve trustworthy and scalable use of Federation and promote their adoption by members and other participants
  • Governance structure not fit for purpose
  • Need to enforce standards like CoCo, R&S, Sirtfi, assurance, MFA and more
  • Assurance?
  • Adoption and promotion mandate
[FO6] You collaborate with other organisations to promote realization of baseline expectations nationally and internationally
  • Need to implement the baseline first.
  • Continuous work to ensure that compliance is met. 



Notes:

FO1: comments and additions
Davide: some of the potential improvements are linked. Violations & filtering and the decision making (governance structure).
Guy: +1. Not an agile governance model.
Meshna: Where lies the difficulty? Technical or policy?
Davide: The constitutions doesn't allow us to filter entities on the eduGAIN level.
Nicole: The potential impact when taking an IdP down.
Alex: eduGAIN isn't required to publish everything from the upstream feeds.
Davide: Process driven.
Alan: Rules aren't clearly written. It is the FO responsibility to provide clean MD. First step: agreement between FO and eduGAIN to allow filtering.
Guy: Wide range of technical and support abilities. We could do this differently for different federations.
Nicole: Different service models for different types of federations.
Pal: FO still need to take/stay responsible for their MD. Be careful with wording.

Meshna: A need for an entity in Federation X to address changes with other federations?
Nicole: Testing security and technical

...