An open discussion list for topics related to the eduGAIN interfederation service.

[Brook Schofield <schofield AT terena.org>]

All,

the TL;DR is:

1. visit http://goo.gl/6LUNDl
2. comment on your federation entry:
 * which metadata signing, metadata software is used
 * whether you can consume http://mds.edugain.org/feed-sha256.xml into your tools
 * your plans or a URL for a SHA-256 feed into eduGAIN

 * flag if you believe that the list 3 columns are inaccurate (results taken from eduGAIN.org/Metadata/ validator)

3. look at the "Software" tab if you have any information on SHA-256 support for metadata/messages of these tools

4. a revision of the Metadata Profile http://edugain.org/policy will reflect these "improvements"

5. the eduGAIN Steering Group will decide on the above profile the timeframe to enforce it.

Thanks,

-Brook

Since you've scrolled down further I'll explain more fully.

I'd take futher discussion to the eduGAIN-discuss AT geant.net list until such time as we have something to "vote" on or decide within the Steering Group.

Clearly this is of interest to the wider community - even beyond eduGAIN - but with 23 federations providing metadata to eduGAIN it is such a sizeable group that solving the problem will allow eduGAIN to require future federations metadata feeds to comply with this requirement continually lifting the bar.

In light of Chris' initial questions and the discussions on many other mailing lists there are two implications from the NIST recommendation on "disallowing" SHA-1 and Keys <2K in size.

1. The trust between federations (brokered by eduGAIN) and
2. The trust between entities within + beyond their federations.

These have been better articulated by Ian. I'm only focusing on the trust between federations as this is clearly in the remit of eduGAIN - and #2 will follow as a result (I hope). Equally some federations are focusing on #2 which will necessitate the same improvement in trust when those federations become part of an interfederation service. If you think this is the wrong direction please say so.

I've started to annotate http://goo.gl/6LUNDl and would appreciate completing the sections.

Please note that this is specific to those federations that provide a feed into eduGAIN and the assessment is based on that feed. There might be different practices within a federation and for other bilateral agreements.

eduGAIN has two paths forward:

1. update the Metadata Profile and kick out federations that don't comply.

2. work with federations to "improve" their metadata feed - and then adjust the Metadata Profile.

I think that the second path is better - because the eduGAIN SG can make this decision and doesn't need to defer to the eduGAIN Exec - since we won't be excluding federations from eduGAIN. We can always revisit this depending on how long it takes for federations to move on this. It is within the power of eduGAIN participants to move faster if you want. Whether the January 1st 2014 deadline can be reached is known. I'd say that is too aggressive to achieve - but we'll see how the coming weeks unfold ;-)

Currently we have a SHA-256 feed for you to consume http://mds.edugain.org/feed-sha256.xml once everyone confirms that they can use this feed - it could be switched to being the default feed.

The current Metadata Profile http://www.geant.net/service/eduGAIN/resources/Documents/eduGAIN_metadata_profile_v3.doc only details the 2k key requirement and doesn't make any signing requirement nor any requirement on keys within that feed. So an update on a range of topics is needed.

I'd appreciate your thoughts and commentary.

-Brook

--

===================================================
Brook Schofield, TERENA Project Development Officer
TERENA Secretariat, Singel 468 D, 1017 AW Amsterdam, The Netherlands
Tel +31 20 530 4488    Fax +31 20 530 4499    Mob +31 65 155 3991
www.terena.org