An open discussion list for topics related to the eduGAIN interfederation service.

[Peter Schober <peter.schober AT univie.ac.at>]

* yamaji AT nii.ac.jp <yamaji AT nii.ac.jp> [2015-01-14 12:01]:
> > That may mean very little, though, as their discovery interfaces may
> > not be equipped to decouple location/country from federation feed or
> > provide for working discovery sidestepping the category.
> 
> This discussion is a little bit difficult for me, therefore, I would
> like to focus on to the efficient keyrollover story.

Difficult why?

> > Does anyone else see the need/opportunity to educate those publishers
> > (or platform providers) on the merits of eduGAIN -- "One federation to
> > keyrollover them all"?
> 
> I need this but has no idea which is better eduGAIN or RE:EP.
> 
> In our case both may work if the publisher regists the metadata fetching 
> endpoint in our federation registration system. In case of eduGAIN, the 
> publisher have to work with at least one federation. However if the 
> publisher choose RE:EP they can do it by themself. Although in both 
> case we have to be careful how long they can insert multiple 
> certificates while keyrollover.

Well, I did not consider REEP for a couple of reasons:

1. Those SPs /are/ already registered with at least one (several, more
   likely) federation, and they /are/ already available in eduGAIN.
   So registration and metadata distribution is a solved problem.
   REEP does not add anything here.
2. Not a topic for the eduGAIN list but REEP isn't a production
   service yet, AFAIK. The metadata signing key from REEP will change
   and for a production service that we feel is suitable to be
   recommended to (or even demanded from) publishers it would need
   quite a bit of documentation and possibly other polishing.
3. I don't think REEP was designed/intended to replace registering and
   re-distributing metadata via eduGAIN, but more for /other/ cases.
   Either way, we as a community should agree on an approach when
   talking to publishers (I'm using "publishers" as 'pars pro toto'
   for "globally widely federated entities"). I wouldn't want to
   educate them about eduGAIN and the next one tries to move them to
   REEP.
4. REEP doesn't solve the problem of the publisher needing SAML
   metadata for all its customers (feed reciprocity). I.e., the SP
   would likely still need to pull metadata from all federations
   individually.

But other than that I completely agree: REEP would solve my problem of
reduntant (and useless) re-registration of entities, at least when
someone republishes that metadata from REEP into eduGAIN (a case we
still haven't discussed in detail, IIRC).
Otherwise I /and everyone else/ would have to pull metadata from REEP,
when we already /have/ a shared pool to pull from -- the MDS.
-peter