Risks

• Security
  • Disclosure of private key
  • Clients not checking signatures
  • Intrusion into signing infrastructure
  • DoS attacks on distribution
• Availability
  • The distribution service for entities
    • As discussed in Agenda and Notes - 2016-08-03, it seems feasible that a cost-effective infrastructure can be deployed that can provide at least four nines availability and sufficient capacity for InCommon.
  • The aggregation/signing service
    • This is not a major concern, assuming a separate distribution layer in the architecture.
• Responsiveness / Capacity
  • Capacity is not sufficiently elastic
    • As discussed in Agenda and Notes - 2016-08-03, it seems feasible that a cost-effective infrastructure can be deployed that can provide at least four nines availability and sufficient capacity for InCommon.
    • (We should decide on acceptable response from the distribution service.)
• Cost
  • Cost of elastic capacity not budgeted
    • UK experience indicates that this should be low, a few hundred dollars per month.
  • Staff time and attention

Opportunities

• Window of opportunity to engage SAML infrastructure components/tools/libraries outside of the usual suspects (Shibboleth, SimpleSAMLphp) to support Federation (large 'F') using MDQ. See this email from Michael Domingues (Iowa) with a fuller explanation.