An open discussion list for topics related to the eduGAIN interfederation service.

[Nick Roy <nroy AT internet2.edu>]

One other item I forgot, below:

On 9/14/18 1:44 PM, Nick Roy wrote:
> Hi Nosiku,
> 
> For the first item, I would expect to see documentation about use of
> signing and encryption certificates in IdP and SP metadata, for example
> recommendation of publication of IdP public keys with use="signing", or
> no use= attribute, in the IdPSSO KeyDescriptor. For SPs, I'd make a
> recommendation to publish a KeyDescriptor with no use= (so, both signing
> and encryption) or two separate KeyDescriptors, if you want people to
> use separate signing and encryption keys. Those would have use="signing"
> and use="encryption" in the KeyDescriptors.

Also you should probably require your participants to use certificates
of at least 2048 bits.

Nick

> 
> InCommon's documentation on this is at:
> https://spaces.at.internet2.edu/display/InCFederation/X.509+Certificates+in+Metadata
> 
> You should sign your metadata with a highly protected private key, and
> publish the metadata signing key somewhere where your users can download
> it, with instructions on how to configure their deployments to verify
> the signature on your metadata. InCommon's documentation on metadata
> refresh and signature verification is at:
> https://spaces.at.internet2.edu/display/InCFederation/Metadata+Consumption
> 
> For the second item, you should have some way of vetting the domains
> used in entityIDs and shibmd:Scope (the latter applies only to
> IDPSSODescriptors and AttributeAuthorityDescriptors), to ensure that
> they are not misused by an unauthorized party. In the case of entityIDs,
> this could cause collisions in metadata. In the case of shibmd:Scope, it
> could result in an IdP asserting identities that do not belong to it.
> 
> InCommon's documentation on domains in metadata is available at:
> https://spaces.at.internet2.edu/display/inctac/Domains+in+IdP+Metadata
> 
> Please let me know if you have other questions or would like to discuss
> any of these items (or anything else about federation policy, metadata,
> etc) further.
> 
> Best,
> 
> Nick
> 
> On 9/14/18 3:54 AM, Nosiku Sikanyika wrote:
>> Good morning Nick,
>>
>> Unfortunately I am unclear regarding the two points
>>
>> 1) Mention of SAML certificates
>> 2) Mention of shibmd:Scope and its management/subject to DNS policy 
>> alongside other domains in metadata.
>>
>> What is supposed to be mentioned under SAML certificates and where?
>> I am also unclear on the second point as well.
>> Could you provide examples or sample documents I can look at?
>>
>> Kind regards,
>>
>> Nosiku
>>
>> ----- Original Message -----
>> From: "nroy" <nroy AT internet2.edu>
>> To: "Brook Schofield" <brook.schofield AT geant.org>, "edugain-discuss" 
>> <edugain-discuss AT lists.geant.org>
>> Cc: "info" <info AT fidern.ac.zm>, "Stein Mkandawire" <mkandaws AT zamren.zm>, 
>> "Nosiku Sikanyika" <nosiku.sikanyika AT zamren.zm>
>> Sent: Thursday, July 26, 2018 5:14:51 PM
>> Subject: Re: [eduGAIN-discuss] Assessment of Zambia/FIDERN for eduGAIN 
>> membership
>>
>> Hi all,
>>
>> A couple quick things I see that are not in the FIDERN policy:
>>
>> 1) Mention of SAML certificates
>> 2) Mention of shibmd:Scope and its management/subject to DNS policy
>> alongside other domains in metadata.
>>
>> Best,
>>
>> Nick
>>
>> On 7/26/18 1:11 AM, Brook Schofield wrote:
>>> All,
>>>
>>> I present to you the application of Zambia / FIDERN who has Signed the
>>> eduGAIN Declaration, has a policy based on the policy template, is
>>> self declaring their federation as a production service and is wanting
>>> to join the global R&E federated environment.
>>>
>>> You can find more detailed information about the federation under
>>> "eduGAIN Candidates” at
>>>     https://technical.edugain.org/status.php
>>> which contains links to their policy and MRPS.
>>>
>>> This application is from an organisation that is closely aligned with
>>> the GÉANT community via their participation in the AfricaConnect
>>> and UbunutuNet projects and communities. They are also the eduroam .zm
>>> roaming operator.
>>>
>>> So I ask the following federations to specifically review the submission
>>> by FIDERN:
>>>  * Estonia/TAAT
>>>  * Finland/Haka
>>>  * France / FÉR
>>>  * Georgia/GIF
>>>  * Germany/DFN-AA
>>>
>>> All eduGAIN members can (and should) provide feedback on this but to
>>> share the burden of review around, these five (5) federations have
>>> a specific responsibility.
>>>
>>> If you have any questions please contact the FIDERN team (Stein +
>>> Nosiku) that are subscribed to this mailing list as well as CC’d to
>>> this message.
>>>
>>> Formal components of the membership process will be via the eduGAIN
>>> Steering Group mailing list.
>>>
>>> Thanks,
>>>
>>> -Brook
>>>
>>> Brook Schofield
>>> eduGAIN Steering Group Chair
>>> GÉANT
>>> M: +31651553991 
>>> Skype: brookschofield
>>>
>>
>