edugain-discuss AT lists.geant.org

Subject: An open discussion list for topics related to the eduGAIN interfederation service.

List archive

Re: [eduGAIN-discuss] Locations for 'local' eduGAIN metadata

From: Niels van Dijk <niels.vandijk AT surfnet.nl>
To: edugain-discuss AT geant.net
Subject: Re: [eduGAIN-discuss] Locations for 'local' eduGAIN metadata
Date: Thu, 15 Jan 2015 13:53:21 +0100
List-archive: <http://mail.geant.net/pipermail/edugain-discuss/>
List-id: "An open discussion list for topics related to the eduGAIN interfederation service." <edugain-discuss.geant.net>

Hi Peter,

On 01/13/2015 05:51 PM, Peter Schober wrote:
> * Niels van Dijk <niels.vandijk AT surfnet.nl> [2015-01-13 16:31]:
>> Oh, and does "(don't use without verification!)" require any
>> explanation of what is expected of potential user?
>
> Lukas added that in response to my reservations finding one of our
> metadata URLs published there with no further info on (secure) use.
>
> I know from long discussions with e.g. CLARIN that some people think
> automatically and regularly pulling plain text files over the internet
> is a sane (safe, secure, proper, etc.) way to bootstap a PKI.
>
> While I can acknowledge that SPs may want to try to help their
> potential customers getting access to their services, I do think that
> none of our other metadata and security specifics are any of eduGAIN's
> business (not to document and not to re-publish), esp if that leads to
> unsuspecting but clueless people copying metadata URLs from such lists
> and provising those into their software, thinking they are using (secure)
> federation technology (as intended). When all they have is a 1st row
> seat in security theater.
> -peter
>

I agree: I think there is a good case for pointing to pages that explain
the member federation and it technical and organisational practices. But
not for pointing directly towards their 'local' metadata. That is a
national thing where eduGAIN has no role.

That said, having a central pointer to all federations metadata is very
helpfull, though I am not sure it should be eduGAINs to maintain.

In defence of Lucas however I do note a bit of scope creep here:
IsFederated was never intended to do what I asked in the beginning of
this thread.

But it may be that my angle is actually more logical from the eduGAIN
perspective. I assume the whole intent of IsFederated, being an edGAIN
service is to let a foreign (SAML)entity check if a SP or IdP is
federated so it can be connected to *via eduGAIN* at all. If so,
presenting the national metadata of the 'other' federation does not add
a lot of value I think (as that is never going to be used by the foreign
entity. It will use its own local metadata, which it already does, or it
would not be a member of the local federation anyhow).

Cheers,
Niels

Re: [eduGAIN-discuss] Locations for 'local' eduGAIN metadata, (continued)