An open discussion list for topics related to the eduGAIN interfederation service.

[Ian Young <ian AT iay.org.uk>]

> On 28 Nov 2014, at 12:04, Niels van Dijk <niels.vandijk AT surfnet.nl> wrote:
> 
> I suspect(/hope) the UK federation that publishes protectnetwork has
> some reasoning for allowing them in (I must say I was surprised as
> well)

I'm not sure why it is so surprising, as I know that this IdP is also part of 
some other federations (e.g., InCommon).

Although most UKf-registered IdPs are associated with academic institutions, 
there are exceptions. The UKf has a mandate to support our schools sector as 
well as higher and further education, for example, and I know some people 
would exclude those IdPs from their definition of "academia".

Our federation operator also has discretion to allow other members as long as 
they are judged to contribute value to our primary constituency. 
ProtectNetwork fell into that category at a time when we didn't have the 
broad support for SAML IdPs in the UK that we do now, for access to resources 
like shared wikis.

> and this does make me wonder what policy the UK federation in
> general has in regard to validating that a person in an IdP is realy
> who he claims he is,

That's not something we have standards for at the federation level. We have a 
notion of user accountability which is obviously somewhat related, and IdPs 
can sign up to that, but we don't have a federation-wide assurance 
requirement.

> but that is out of scope for why protectnetwork
> is in edugain at all..

Indeed; we export the ProtectNetwork entity because they are UK federation 
members and haven't opted out, it's quite mechanical.

If that's a shocking and unacceptable consequence to some, we either need to 
come up with precise rules we can all agree to apply[1], or participating 
federations for which it's a problem will have to take local ownership of the 
problem by filtering things they dislike.

    -- Ian

[1] I am not going to hold my breath for this; it's a very hard problem.

Attachment: smime.p7s
Description: S/MIME cryptographic signature