Click on the title of any column to reorder the list.
# Name Document (if any) Issue Description Theme Scope for this group? Action Item 1 Warren Will publishing of InCommon IdPs and SPs into eduGAIN be opt-in or opt-out? opt-in/ In Scope for policy decision Key Issue. 2 Warren Will eduGAIN metadata feeds be aggregated into the InCommon feed or pulled separately by InCommon IdPs and SPs? Metadata practices Out of Scope; operational policy TAC 3 Warren Will InCommon simply publish the metadata as it arrives from eduGAIN, or will it add value, by, for instance: Metadata practices Minimally In scope TAC 4 Von Research SPs and making sure that the ease of obtaining attribute release that the Research and Scholarship category has enabled within InCommon expands to the international arena. R&S Out of Scope but Nota Bene; a related but not primary focus InC Ops/ 5 Ann FOPP Section 1. Add international context/role description Role Definition In Scope 6 Theresa FOPP Section 2. Organizational Structure: do we need a basic flow chart? Document Clarity Out of Scope Doc Editors 7 Bill FOPP Section 7.2 Relationship of Systems to Participant: Are ownership structures different in eduGain? Does that matter? Are their significant commercial or government systems influencing federations? Legal/ Process In Scope 8 Steven FOPP Update the IdP and SP definitions to better reflect the complexities of the environment. Participant System Definition In Scope with TAC support TAC 9 Bill FOPP Are the types of Identity Providers and Service Providers in eduGain substantially different entities than what we see in our federation? Are there different trust marks or certification marks than what we tend to use? If substantially different how will we inform our participants of what those entities are? Participant System Definition In Scope with TAC support TAC 10 Ann FOPP Section 7.3.2 Metadata description needs to reflect interfederation InCommon Practices In Scope for draft; operational policy InC OPs/ TAC 11 Bill FOPP Do we need to include dispute resolution between federations? Dispute Resolution In Scope Key Issue 12 Steven FOPP Section 9.2 InCommon must put in place processes to require the POP. Participant Practices; Nota Bene; AAC reviewing In Scope 13 Theresa PA Disclaimer and Limitation: How will this be worded? Attorney's get really squeamish with these types of statements. Legal/ Process In Scope 14 Ann FOPP Federation Technical Infrastructure will need mention of how eduGAIN is supported. InCommon Practices In Scope for Drafting 15 Ann PA Add description to section 1. Role Definition In Scope 16 Ann PA Update 6. Participant Requirements regarding governing law, accurate metadata, and documenting practices as needed for participant to support eduGAIN. Participant Requirements/ In Scope 17 Ann PA Section 7 InCommon Federation Services. Will be sharing metadata internationally as well. Upon request? opt-in/ In Scope 18 Bill PA Section 9. I suspect "privacy" rules are the biggest impact from a regulation standpoint. What are eduGains requirements from their participants in this area? Privacy In Scope Key Issue 19 Ann PA Section 7: Federation Rules - Do we need to allude to other federations here or let the responsibility for applying those rules rest on InC to promulgate? Definition of Participants - Transparent about including international entities and what expectation we have for them. In Scope 20 Bill PA Section 12: Are eduGAIN insurance requirements similar, equitable? Does InCommon verify insurance contracts of participants? Insurance Pending 21 Theresa PA Section 15. Many public institutions are not allowed to agree to governance that is not within their state. Can this be reworded? Legal/ Process Out scope 22 Group PA Participants have a choice and would sign a new agreement. Opt-out, we would send them the changes and propose a time when they would take effect. Either way, this the changes to this Agreement would be publicly vetted and discussed. opt-in/ In Scope 23 Ann PA Section 11: Is there an international impact on liability? Is there increased risk to the federation and participant? How should we proceed? Legal/ Process In Scope 24 Bill PA Section 10. Dispute Resolution: Should InCommon help with international disputes? Dispute Resolution In Scope 25 Theresa PA Section 9. This is pretty ambiguous, can "as be required by federal and European law be added to the statement? Privacy In Scope 26 All FOPP Section 10. Termination or Suspension: what does this mean in the international context? Include metadata tags included in the "phone book," but bad actors will be removed by InCommon and will notify other Participants; InC. will not policy but will administer best practices. In scope; further discussion anticipated 27 Steven Recommended attributes for interoperability: Includes SCHAC attributes. What does InCommon want to recommend to our members? Send to TAC; eduGAIN may want to review TAC 28 Steven eduGAIN uses two metadata fields that are not required or different from what we do. (isRequired and MDUI) What does InCommon want to recommend to our members? TAC 29 Bill Why is there an additional risk statement on the FOPP page? https://incommon.org/docs/policies/risk_assessment.html Can this be eliminated or incorporated into the policies in some way? From Participation agreement to FOPP, relationship InC. to eduGAIN In scope Key 30 Steven Should we be able to ask InCommon to filter out entities? Dispute Resolution, bundle with #26, In Scope Key
In particular, if we make publishing metadata into eduGAIN an opt-in activity, it seems to me we might be able to simply have separate agreements and operating procedures for those efforts. It also seems to me as though we can start asking those IdPs and SPs that choose to participate what added value might be of most benefit to them.
opt-out
a) filtering eduGAIN metadata (to remove malformed metadata or metadata that does not comply with InCommon standards/expectations, metadata from commercial enterprises entering through other federations, etc?)
b) negotiating attributes release policies, entity category tags, SAML versions, hash algorithms, etc with other eduGAIN participating federations.
c) interpreting legal obligations related to PII or other attribute release from other federations to make it easier for InCommon IdPs and SPs.
d) other similar value-adding activities.
[John's response] Perhaps in an adjacent or linked document (TBD), InCommon Ops should publish our import filtering rules and export filtering rules in human readable format. Import filter will remove any tags we are authoritative for (e.g., InCommon Bronze, Silver), all certs <1024 bit key strength, duplicate md entries from eduGAIN sources, other filters...
item C; operational policy
Wants to ensure that InCommon IdPs and SPs can participate in the international R&S standard. If we do come across any wording that would prevent participation in this program, we would address accordingly.
TAC
[Tracy's response] or a graphic?
[Warren's response] Ownership would be defined by each participating federation in eduGAIN. I've only got insight into a couple (UK, Canada) but they seem essentially the same.
[Susan response] What about a federal inquiry? How do we handle those things that aren’t an adjudicated order? Or sensitive research with an entity in a hostile nation that raises questions from the US Gov?
Need an explicit definition of IdP, SP and other entities. Add to PA too.
[Warren's response] For the most part, the IdPs and SPs are very analogous to what we have in InCommon. They are mostly university ID management systems and services. Individual federations in eduGAIN might have certifications or trust marks that they use internally - we are free to ignore them and should do so in general
. eduGAIN itself does not add additional tags to metadata of this sort.
7.3.2.1 Certificate practices check.
*[Tracy's response]* Could we get guidance from the Global Network at Berkman for international governance models?
[John's response] This is dealt with in eduGAIN policy.
*[group discussion] *Is InCommon going to help manage or not? We are facilitators not arbitrators of Interfederation. There are legal and non-legal ways of handling dispute resolution.
[Bill's Comments] Section 9.2 talks about "communications" and "support" but seems to be mainly about support. It states documents and POPs are published on InCommon Website. Is that the only communication requirement? Where are POPs published? I am not real familiar with the Federation Manager, does it allow users to browse POPs?
[Johns response] Do we need educate participants regarding international entities and lack of POP? Do we need require of InCommon IdPs/SPs before we export them to eduGAIN?
[Group discussion] International implications
Practices
opt-out
[Donald's response] Based on what is written in the "Discussion of the issues" document, it seems eduGAIN does not have strict standards for membership however the community members appear to self govern (http://www.edugain.org/technical/status.php). I looked at a few of the member statements on privacy/security and they seem similarly worded to the InCommon requirements. I may look at this as any other agreement between providers in that if I really want to federate with another organization I am going to research their policies and procedures even if they are a member. I think federation simply makes it easier to do so.
[Bill's response] I think this is a key issue. As an InCommon Participant I do want to understand "who" are registered and "where" they are registered, which could impact "what" I register. But I realize that comes with a price of additional administration because the "where" could be international. InC providing the brokering services would be valuable in my mind.
[Donald's response] I agree with Bill that InCommon could broker this whether it be through an attribute that identifies the eduGAIN entities, and may also keep from having to maintain separate metadata for eduGAIN members. Could this also resolve the opt in/opt out question?
[John] Yes, the provenance of each entity (i.e., the Federation responsible for each published IdP and SP) will be a "tag" that is stamped in each entity's metadata and retained when InCommon republishes each. In this way, InCommon participants will know which entities are based in InCommon and which are based in some other Federation's trust framework.
[Group] What's the definition of HE? InCommon has eligibility requirements. What are other federation eligibility requirements? If there was an institution we didn't like, could we ask InC to filter it out? Spawned dispute resolution # 31
Possibly say less here, if InC is publishing metadata from another federation, InCommon will identify who is and who isn't an InCommon member.
[Group] eduGAIN has no insurance requirements. Ann to check about InCommon insurance requirements
[group] How do we determine the jurisdiction for the national agreement? We keep silent on this.
opt-out
[John's comment] Liability:
InCommon to Participant
InCommon to International Federations
Participant to Participant (external contract)
Participant to Participant (no contract)
Participant to International Federation Member (contract)
Participant to International Federation Member (no contract)
[group] Section 11: we provide a service with no implied warranties. Indemnification is off the table. Should not change, but is part of legal discussion. Dependent on how this comes out with governance issue/dispute resolution.
Need to expand to all the entities.
[Bill response] Sounds like a slippery slop to suggest international dispute resolution. I will confer with Scott David for an opinion.
[group] Does provide a process for how to do dispute resolution between organizations. If you have a disagreement, it's between those federations. eduGAIN is not a part.
[group] Need a broadly based statement that's based on the participant privacy statute and not limit it to federal and european law. Does it require the participant to understand the impact of releasing PII to the SPs?
This will be the single biggest hurdle.
[John] Suspension of Publishing Metadata. A fundamental question of how much power InCommon Participants would like to bestow to the Federation. Should InCommon import filter rules be minimal and necessary only for technical security reasons, or should InCommon act as a more active broker, with the power to drop international IdPs and SPs for a defined set of other reasons? Current federation policy is lean, increasing scalability and interoperability rather than a heavyweight policy enforcement role based on other non-technical issues. Is it important to consider certain minimal use cases such as international business treaties and hostile nation issues mentioned in #7?
[group] What mechanisms do we use to review the process for exclusion? Who decides? What can InCommon staff do on behalf of the community? What needs further review?
Process for appeal and reinstatement per approval of Steering Committee and dispute resolution, policy authority, included.
Send to TAC; Code of Conduct (Phase 2)
next steps of reinstatement.