Internet2 is investigating a security incident involving a compromise to a confluence server that affected https://spaces.at.internet2.edu on April 10, 2019, which was successfully mitigated on April 12, 2019. If you did not receive an email from us, it’s unlikely that any of the content you submitted to the Internet2 Spaces Wiki needs to be re-entered. We apologize for any inconvenience this may have caused. Should you have any questions or require further assistance, please email collaboration-support@internet2.edu.
Child pages
  • eduGAIN Punch List
Skip to end of metadata
Go to start of metadata

Click on the title of any column to reorder the list.

#

Name

Document (if any)

Issue Description

Theme

Scope for this group?

Action Item

1

Warren

 

Will publishing of InCommon IdPs and SPs into eduGAIN be opt-in or opt-out? 
In particular, if we make publishing metadata into eduGAIN an opt-in activity, it seems to me we might be able to simply have separate agreements and operating procedures for those efforts. It also seems to me as though we can start asking those IdPs and SPs that choose to participate what added value might be of most benefit to them.

opt-in/
opt-out

In Scope for policy decision

Key Issue.

2

Warren

 

Will eduGAIN metadata feeds be aggregated into the InCommon feed or pulled separately by InCommon IdPs and SPs?

Metadata practices

Out of Scope; operational policy

TAC

3

Warren

 

Will InCommon simply publish the metadata as it arrives from eduGAIN, or will it add value, by, for instance:
   a) filtering eduGAIN metadata (to remove malformed metadata or metadata that does not comply with InCommon standards/expectations, metadata from commercial enterprises entering through other federations, etc?)
   b) negotiating attributes release policies, entity category tags, SAML versions, hash algorithms, etc with other eduGAIN participating federations.
   c) interpreting legal obligations related to PII or other attribute release from other federations to make it easier for InCommon IdPs and SPs.
   d) other similar value-adding activities.

[John's response] Perhaps in an adjacent or linked document (TBD), InCommon Ops should publish our import filtering rules and export filtering rules in human readable format. Import filter will  remove any tags we are authoritative for (e.g., InCommon Bronze, Silver), all certs <1024 bit key strength, duplicate md entries from eduGAIN sources, other filters...

Metadata practices



Minimally In scope
item C; operational policy

TAC

4

Von

 

Research SPs and making sure that the ease of obtaining attribute release that the Research and Scholarship category has enabled within InCommon expands to the international arena.

Wants to ensure that InCommon  IdPs and SPs can participate in the international R&S standard. If we do come across any wording that would prevent participation in this program, we would address accordingly. 

R&S

Out of Scope but Nota Bene; a related but not primary focus

InC Ops/
TAC

5

Ann

FOPP

Section 1. Add international context/role description

Role Definition

In Scope

 

6

Theresa

FOPP

Section 2. Organizational Structure: do we need a basic flow chart?
[Tracy's response] or a graphic?

Document Clarity

Out of Scope

Doc Editors

 

 

7

Bill

FOPP

Section 7.2 Relationship of Systems to Participant: Are ownership structures different in eduGain? Does that matter? Are their significant commercial or government systems influencing federations? 

[Warren's response] Ownership would be defined by each participating federation in eduGAIN. I've only got insight into a couple (UK, Canada) but they seem essentially the same.

[Susan response] What about a federal inquiry? How do we handle those things that aren’t an adjudicated order? Or sensitive research with an entity in a hostile nation that raises questions from the US Gov?

Legal/ Process

In Scope

 

8

Steven

FOPP

Update the IdP and SP definitions to better reflect the complexities of the environment.

Need an explicit definition of IdP, SP and other entities. Add to PA too.

Participant System Definition

In Scope with TAC support

TAC

9

Bill

FOPP

Are the types of Identity Providers and Service Providers in eduGain substantially different entities than what we see in our federation? Are there different trust marks or certification marks than what we tend to use? If substantially different how will we inform our participants of what those entities are? 

[Warren's response]  For the most part, the IdPs and SPs are very analogous to what we have in InCommon. They are mostly university ID management systems and services. Individual federations in eduGAIN might have certifications or trust marks that they use internally - we are free to ignore them and should do so in general
. eduGAIN itself does not add additional tags to metadata of this sort.

Participant System Definition

In Scope with TAC support 

TAC

10

Ann

FOPP

Section 7.3.2 Metadata description needs to reflect interfederation

7.3.2.1 Certificate practices check.

InCommon Practices

In Scope for draft; operational policy

InC OPs/ TAC

11

Bill

FOPP

Do we need to include dispute resolution between federations?  
*[Tracy's response]* Could we get guidance from the Global Network at Berkman for international governance models?

[John's response] This is dealt with in eduGAIN policy.

*[group discussion] *Is InCommon going to help manage or not? We are facilitators not arbitrators of Interfederation. There are legal and non-legal ways of handling dispute resolution.

Dispute Resolution

In Scope

Key Issue

12

Steven

FOPP

Section 9.2 InCommon must put in place processes to require the POP.

[Bill's Comments]  Section 9.2 talks about "communications" and "support" but seems to be mainly about support.  It states documents and POPs are published on InCommon Website.  Is that the only communication requirement?  Where are POPs published?  I am not real familiar with the Federation Manager, does it allow users to browse POPs?  

[Johns response] Do we need educate participants regarding international entities and lack of POP? Do we need require of InCommon IdPs/SPs before we export them to eduGAIN? 

Participant Practices; Nota Bene; AAC reviewing

In Scope

 

13

Theresa

PA

Disclaimer and Limitation: How will this be worded? Attorney's get really squeamish with these types of statements.

[Group discussion] International implications

Legal/ Process

In Scope

 

14

Ann

FOPP

Federation Technical Infrastructure will need mention of how eduGAIN is supported.

InCommon Practices

In Scope for Drafting

 

15

Ann

PA

Add description to section 1.

Role Definition

In Scope


 

 

16

Ann

PA

Update 6. Participant Requirements regarding governing law, accurate metadata, and documenting practices as needed for participant to support eduGAIN.

Participant Requirements/
Practices

In Scope

 

17

Ann

PA

Section 7 InCommon Federation Services.  Will be sharing metadata internationally as well. Upon request?

opt-in/
opt-out 

In Scope

 

18

Bill

PA

Section 9. I suspect "privacy" rules are the biggest impact from a regulation standpoint. What are eduGains requirements from their participants in this area?

[Donald's response] Based on what is written in the "Discussion of the issues" document, it seems eduGAIN does not have strict standards for membership however the community members appear to self govern (http://www.edugain.org/technical/status.php). I looked at a few of the member statements on privacy/security and they seem similarly worded to the InCommon requirements. I may look at this as any other agreement between providers in that if I really want to federate with another organization I am going to research their policies and procedures even if they are a member. I think federation simply makes it easier to do so.

Privacy

In Scope

Key Issue

19

Ann

PA

Section 7: Federation Rules - Do we need to allude to other federations here or let the responsibility for applying those rules rest on InC to promulgate?

[Bill's response] I think this is a key issue. As an InCommon Participant I do want to understand "who" are registered and "where" they are registered, which could impact "what" I register. But I realize that comes with a price of additional administration because the "where" could be international. InC providing the brokering services would be valuable in my mind.

[Donald's response] I agree with Bill that InCommon could broker this whether it be through an attribute that identifies the eduGAIN entities, and may also keep from having to maintain separate metadata for eduGAIN members. Could this also resolve the opt in/opt out question?

[John] Yes, the provenance of each entity (i.e., the Federation responsible for each published IdP and SP) will be a "tag" that is stamped in each entity's metadata and retained when InCommon republishes each. In this way, InCommon participants will know which entities are based in InCommon and which are based in some other Federation's trust framework.

[Group] What's the definition of HE? InCommon has eligibility requirements. What are other federation eligibility requirements? If there was an institution we didn't like, could we ask InC to filter it out?  Spawned dispute resolution # 31

Possibly say less here, if InC is publishing metadata from another federation, InCommon will identify who is and who isn't an InCommon member.

Definition of Participants - Transparent about including international entities and what expectation we have for them.

In Scope

 

20

Bill

PA

Section 12: Are eduGAIN insurance requirements similar, equitable? Does InCommon verify insurance contracts of participants?

[Group] eduGAIN has no insurance requirements. Ann to check about InCommon insurance requirements

Insurance

Pending

 

21

Theresa

PA

Section 15. Many public institutions are not allowed to agree to governance that is not within their state. Can this be reworded?

[group] How do we determine the jurisdiction for the national agreement? We keep silent on this.

Legal/ Process

Out scope

 

22

Group

PA

Participants have a choice and would sign a new agreement. Opt-out, we would send them the changes and propose a time when they would take effect. Either way, this the changes to this Agreement would be publicly vetted and discussed.

opt-in/
opt-out

In Scope

 

23

Ann

PA

Section 11: Is there an international impact on liability? Is there increased risk to the federation and participant? How should we proceed?

[John's comment]  Liability:
InCommon to Participant
InCommon to International Federations
Participant to Participant (external contract)
Participant to Participant (no contract)
Participant to International Federation Member (contract)
Participant to International Federation Member (no contract)

[group] Section 11: we provide a service with no implied warranties. Indemnification is off the table. Should not change, but is part of legal discussion. Dependent on how this comes out with governance issue/dispute resolution.

Need to expand to all the entities. 

Legal/ Process

In Scope

 

24

Bill

PA

Section 10. Dispute Resolution: Should InCommon help with international disputes?

[Bill response] Sounds like a slippery slop to suggest international dispute resolution. I will confer with Scott David for an opinion.

[group] Does provide a process for how to do dispute resolution between organizations. If you have a disagreement, it's between those federations. eduGAIN is not a part. 

Dispute Resolution

In Scope

 

25

Theresa

PA

Section 9. This is pretty ambiguous, can "as be required by federal and European law be added to the statement?
[group] Need a broadly based statement that's based on the participant privacy statute and not limit it to federal and european law. Does it require the participant to understand the impact of releasing PII to the SPs? 
This will be the single biggest hurdle. 

Privacy

In Scope

 

26

All

FOPP

Section 10. Termination or Suspension: what does this mean in the international context?

[John] Suspension of Publishing Metadata. A fundamental question of how much power InCommon Participants would like to bestow to the Federation. Should InCommon import filter rules be minimal and necessary only for technical security reasons, or should InCommon act as a more active broker, with the power to drop international IdPs and SPs for a defined set of other reasons? Current federation policy is lean, increasing scalability and interoperability rather than a heavyweight policy enforcement role based on other non-technical issues. Is it important to consider certain minimal use cases such as international business treaties and hostile nation issues mentioned in #7?

[group] What mechanisms do we use to review the process for exclusion? Who decides? What can InCommon staff do on behalf of the community? What needs further review? 

Include metadata tags included in the "phone book," but bad actors will be removed by InCommon and will notify other Participants; InC. will not policy but will administer best practices.

Process for appeal and reinstatement per approval of Steering Committee and dispute resolution, policy authority, included.

In scope; further discussion anticipated

 

27

Steven

 

Recommended attributes for interoperability: Includes SCHAC attributes. What does InCommon want to recommend to our members?

Send to TAC; eduGAIN may want to review

TAC

 

28

Steven

 

eduGAIN uses two metadata fields that are not required or different from what we do. (isRequired and MDUI) What does InCommon want to recommend to our members?


Send to TAC; Code of Conduct (Phase 2)

TAC

 

 

 

 

 



 

 

29

Bill

 

Why is there an additional risk statement on the FOPP page?  https://incommon.org/docs/policies/risk_assessment.html  Can this be eliminated or incorporated into the policies in some way?

From Participation agreement to FOPP, relationship InC. to eduGAIN

In scope

Key

30

Steven

 

Should we be able to ask InCommon to filter out entities?

Dispute Resolution, bundle with #26,
next steps of reinstatement.

In Scope

Key

  • No labels