Skip to Content.
Sympa Menu

edugain-discuss - Re: [eduGAIN-discuss] Tool to monitor which IdP consumes your SP's metadata

edugain-discuss AT lists.geant.org

Subject: An open discussion list for topics related to the eduGAIN interfederation service.

List archive

Re: [eduGAIN-discuss] Tool to monitor which IdP consumes your SP's metadata


Chronological Thread 
  • From: Nicole Harris <harris AT terena.org>
  • To: Leif Johansson <leifj AT sunet.se>
  • Cc: "edugain-discuss AT geant.net" <edugain-discuss AT geant.net>
  • Subject: Re: [eduGAIN-discuss] Tool to monitor which IdP consumes your SP's metadata
  • Date: Sun, 29 Jun 2014 12:02:55 +0100
  • List-archive: <https://mail.geant.net/mailman/private/edugain-discuss/>
  • List-id: eduGAIN discussion list <edugain-discuss.geant.net>

OK then so why do we bother with all this opt-in, opt-out, policies,
processes, metadata for edugain then? If it doesn't matter who is
taking metadata and what they are using it for then why don't we just
have edugain consume all the federation metadata it can get it hands
on from anywhere and leave it at that?

We se to be putting a hell of a lot of effort in to creating rules
which basically say how metadata can be used on one hand, and then
saying it doesn't matter on another. This makes no sense to me.

I appreciate the metadata feeds are public and I think this is
entirely correct. I still think it is appropriate to point out when
feeds are being used outside agreements and make sure people are
comfortable with that.

Sent from my iPhone

> On 29 jun. 2014, at 11:41, Leif Johansson <leifj AT sunet.se> wrote:
>
>> On 2014-06-29 11:45, Nicole Harris wrote:
>> Sent from my iPhone
>>
>>>> On 29 jun. 2014, at 10:04, Leif Johansson <leifj AT sunet.se> wrote:
>>>>
>>>>> On 2014-06-28 19:40, Nicole Harris wrote:
>>>>>> On 28/06/2014 17:09, Peter Schober wrote:
>>>>>> * Nicole Harris <harris AT terena.org> [2014-06-28 16:13]:
>>>>>> Well my first and primary question would be under what terms Jozef is
>>>>>> using the metadata? I cannot find his service URL registered with any
>>>>>> federation or with eduGAIN.
>>>>> From the RequestInitiator used
>>>>> ("https://lindat.mff.cuni.cz/Shibboleth.sso/Login";)
>>>>> I think it is this entityID:
>>>>> https://ufal-point.mff.cuni.cz/shibboleth/eduid/sp
>>>>> registered (and exported to eduGAIN) by http://www.eduid.cz/
>>>> Yeah, sorry - thought I had deleted that paragraph before I sent as I
>>>> found it eventually. Trouble with looking at work emails whilst taking
>>>> the child to the cinema. Although to be fair it is practically the only
>>>> thing you can do during the children's films at the cinema.
>>>>
>>>> Still think it is taking liberties with some of the metadata though.
>>>
>>>
>>> The SWAMID terms of use are pretty clear:
>>>
>>> You may only use the Metadata as follows:
>>> - Installation onto your own IT systems for the purpose of establishing
>>> trusted communications between your systems and those of the Registrant
>>> by means of standard middleware protocols.
>>>
>>> - Any and all rights including intellectual property rights to the
>>> Metadata shall remain owned by the Registrar, the Registrants or the
>>> Signer.
>>>
>>> I don't see Jozef violating any of this however clueless his tests may
>>> otherwize be.
>>
>> I do.
>>
>> He is using metadata that is not being provided via edugain as part of
>> the tool. It is also not being used to "establish trusted
>
> So what?
>
>> communications", I.e. As part of the login process but is being made
>> part of the service. So for example metadata from UK colleges is
>> included, not in the login, but being tested. None of these are in
>> edugain metadata.
>
> If we (as in SWAMID) wanted that narrow interpretation we'd have written
> "exclusively" or "directly establish" or something like that.
>
> His intent is to discover "gaps in the routing table". As long as he
> isn't trying to datamine PII, arguably that is supporting authentication.
>
>>
>> We have the same problem with MET which is why I was careful to ask
>> all federations to send me their feed data and when it moves to full
>> service I will ask federations to register their data themselves.
>
> OK fair enough but you're also playing into a failed notion that public
> keys are not public.
>
>
>





Archive powered by MHonArc 2.6.19.

Top of Page