An open discussion list for topics related to the eduGAIN interfederation service.

[Tomasz Wolniewicz <twoln AT umk.pl>]

Hi,

  I was off-line for a moment. In my previous post I got fooled the same
way as Peter into thinking that this was about the federation signing.

 I was also in a bit of a hurry and probably should not have spoken at
all. Anyway, I think that there are a few clarifications required about
the formal position on all of this, so let me address them now.

First of all, Peter's remark:

> Since we didn't vote to having that rule there (AFAIR -- that Best
> Practices document is not part of any formal eduGAIN docs?) I don't
> think a vote to get rid of it (if we wanted that) is warranted.
eduGAIN profile states:

"For entities within Federations, eduGAIN supports a series of Best
Current Practice documents that are supported by the eduGAIN Steering
Committee and published on the eduGAIN website [eduGAIN-BCP]. SAML
Metadata Producers SHOULD support all the Best Current Practice
published by eduGAIN within their Federations."

and

"eduGAIN supports a series of Best Current Practice (BCP) documents. All
such documents are approved by the eduGAIN Steering Group before being
published on the eduGAIN website. SAML Metadata Producers SHOULD support
eduGAIN BCP. Entity adherence to best current practice is monitored by
the eduGAIN Operational Team via the eduGAIN Entities Database
[eduGAIN-ED]. Federation Operators SHOULD monitor the eduGAIN Entities
Database on a regular basis."

Therefore the BCP document is supposed to exist and is supposed to be
approved by the SG. The document we point to is something that we want
to start with and it is just a list of the validator warnings.

Secondly, the expired certificate warning in BCP is indeed about the
aggregator signature. We had a discussion about that on the SG list some
time ago and it was agreed that there are no formal grounds for
demanding non-expired certs while there may be common-sense arguments to
the contrary, therefore this point is clearly marked as to be confirmed
by the SG (along with the whole BCP).

Thirdly, where it comes to validator warnings on expired per-entity
certs, it is an oversight on our side that this warning is not listed i
BCP. The justification for this warning is the recommendation in the
InterOp profile as pointed out by Zenon. I believe that the following
discussion on the list is a perfect justification for us giving an
explicit warning on this as well.

Cheers

Tomasz




W dniu 20.11.2019 o 17:02, Peter Schober pisze:
> * Thijs Kinkhorst <thijs.kinkhorst AT surfnet.nl> [2019-11-20 13:33]:
>> Just to provide some counter viewpoint. In our federation 66% of IdPs use
>> ADFS and this hardly gives rise to problems.
> That's why I wrote "A disclaimer message to be relayed by (Full Mesh)
> federations?", fully aware that Hub&Scope federations are in a
> different position here that allows them to compensate for products
> that do not support multi-lateral federations nor everything we've
> built on top.
> -peter

-- 
Tomasz Wolniewicz    
          twoln AT umk.pl        http://www.home.umk.pl/~twoln

Uniwersteckie Centrum Informatyczne   Information&Communication Technology 
Centre
Uniwersytet Mikolaja Kopernika        Nicolaus Copernicus University,
pl. Rapackiego 1, Torun               pl. Rapackiego 1, Torun, Poland
tel: +48-56-611-2750                  tel kom.: +48-693-032-576

Attachment: smime.p7s
Description: Kryptograficzna sygnatura S/MIME