Skip to Content.
Sympa Menu

edugain-discuss - [eduGAIN-discuss] edugain wiki federation checks

edugain-discuss AT lists.geant.org

Subject: An open discussion list for topics related to the eduGAIN interfederation service.

List archive

[eduGAIN-discuss] edugain wiki federation checks


Chronological Thread 
  • From: Peter Schober <peter.schober AT univie.ac.at>
  • To: edugain-discuss AT geant.net
  • Subject: [eduGAIN-discuss] edugain wiki federation checks
  • Date: Wed, 2 Jul 2014 11:23:50 +0200
  • Authentication-results: prod-mail.geant.net (amavisd-new); dkim=pass header.i= AT univie.ac.at
  • List-archive: <https://mail.geant.net/mailman/private/edugain-discuss/>
  • List-id: eduGAIN discussion list <edugain-discuss.geant.net>
  • Organization: ACOnet

I'm a bit unhappy with some of the (obviously well-intended) things
happening in the eduGAIN wiki, at
https://wiki.edugain.org/isFederatedCheck/
which I discovered just now.

For one the code seems to be using Organization(DisplayName) even for
entities having mdui:DisplayName populated (I know because /all/
eduID.at entities have mdui:DisplayName populated), which causes
confusion between different entities (serving different purposes)
run/owned by the same organization. (E.g. search for "@aco.net" and
you will get the "OpenIDP (guests)" run by ACOnet as well as the
"ACOnet staff" IDPs, both being called "ACOnet").

I also don't know why the eduGAIN wiki consumes non-eduGAIN metadata
from individual federations /at all/ and why Yet Another MET-style
tool really was necessary, compared to improving one of the existing
ones, if necessary. As an aside, the non-eduGAIN metadata URLs used
(at least in our case) are not correct date, not even matching what we
documented in the Federation Survey (REFEDS wiki).

Finally and most importantly I do NOT want the tool to provide
individual *unsigned* entity descriptors from the eduID.at
metadata. Example:
https://wiki.edugain.org/isFederatedCheck/?path=/aconet/entities/https%3A%2F%2Fopenidp.aco.net%2Fsaml

There is no reason to encourage fully insecure and untrusted
static/one-time copy&paste attempts at "federating" entities by giving
easy access to single unsigend entity descriptors. That undermines any
attempts to explain and maintain the security model of our current
federations. Unsigned plain text files should NOT be used (or provided
and hence encourage such use) to bootstrap technical trust into
cryptographic keys and protocol endpoints.

I would strongly suggest to drop that feature.

Along those same lines I would also prefer for the tool to NOT offer
URLs to individual federations' metadata, without any mention or
reference to a signing key, esp. with the link named "Download".
Noone should download eduID.at (or any other, for that matter) based
on a URL from the eduGAIN wiki, for whatever reason.

Entities who need to use our aggregate will find all that (and much
more) in our documentation.
Other fedops wanting to look at our aggregate can find and use the
information provided by us to the REFEDS Federation Survey.

Otherwise please remove all ACONet/eduID.at entities from that
service.
-peter

Attachment: signature.asc
Description: Digital signature




Archive powered by MHonArc 2.6.19.

Top of Page