An open discussion list for topics related to the eduGAIN interfederation service.

[Peter Schober <peter.schober AT univie.ac.at>]

* Vladimir Mencl <vladimir.mencl AT reannz.co.nz> [2019-03-15 00:21]:
>   * Joining is for NREN ("LEARN") members only

Yeah, that doesn't work for Service Providers.

It also may be a meaningless policy these days when interfederation
via eduGAIN is the norm/default esp. for new federations: ALL of the
entities you get via eduGAIN will NOT be members of our NREN, yet they
are in the same "trust fabric". So what does this reall buy you?
Strong local trust relations with (comparatively) few local IDPs mixed
in with widely-varying-to-low/no trust relationships with thousands of
entities (IDPs and SPs) coming in via eduGAIN?

E.g. the UKfederation has no such restriction. Of course of you remove
that requirement you need some other criterion on who you want in your
federation. But why not simply state that the steering group (whatever
that's called and whoever that is in your case) decides on
eligibility? That keeps the path open to possibly add desirable IDPs
that for some (e.g. political) reason cannot join the NREN. (Unless
you're certain you want and will be able to force those to join the
NREN, too. Otherwise they can just join /your/ federation by going to
the UKfederation, I guess ;) in which case you haven't achieved
anything with that requirement.)

> Technical:
>   * metadata signing certificate is self-signed valid for 10 years - that
> looks good.

You can always rewrap the signing key, but when I last did this I used
all the remaining time in the 32-bit signed UNIX epoch (2038):
Either period is too long for a short-lived credential (which would
shorten the window where something bad could happen) and so will need
to be pulled hard in case anything bad actually happens. 10 or 20
years doesn't really make any difference here, so I used 20.

(Ironic that we started out with 10 years too, assuming we'll *long*
have moved on to other technologies by then, which was not the case
for us.)

>     * there is however a personal email address in the Subject+Issuer DN of
> the certificate (thilina AT learn.ac.lk) - should have been an alias.  But
> that's too late to change now.

Not too late. Just rewrap the same key in a new cert with different
data. The identity data of the cert doesn't affect signatures made
from the key so neither signing nor signature validation should be
affected by a rewrapped key in a different cert.

-peter