An open discussion list for topics related to the eduGAIN interfederation service.

[Nick Roy <nroy AT internet2.edu>]

Peter has said this more eloquently and precisely than I ever could. I agree 
fully with what he’s said.

Nick

On 21 Nov 2019, at 5:21, Peter Schober wrote:

> * Guy Halse <guy AT tenet.ac.za> [2019-11-21 09:26]:
>> Thus from my perspective, ADFS is something I have to learn to live
>> with if I want R&E federation to succeed here. Given the choice
>> between living with ADFS's quirks and abandoning the idea of getting
>> R&E federation working, I'll choose the former.
>
> At least in our community they'd rather follow our documentation to
> get a system integrating with the global community, that's
> significantly more powerful while also being lower in maintenance
> (because it's maintenance of the software/system only, not of each and
> every trust relationship), even if that means having to deal with
> software they haven't used before. YMMV.
>
>> What that probably boils down to is that Microsoft are good at
>> marketing; we are not.
>
> Make that "vendor lock-in", not (merely) marketing: From the PC OS
> (which they still own[1]) with its broken clients ever expanding to
> your data center to hosted servers and services.
>
> But that's not even the point. This is: If our offerings
> (multi-lateral federation) are not simpler and more secure and better
> scaling than the alternatives (manual, bilateral trust relationships)
> we have nothing to offer, really.
>
> (Not that I've personally ever met anyone who preferred establishing
> and managing trust relationships manually even if that meant keeping
> their pseudo-familar GUI software, but again YMMV.)
>
> As is the case so often the problem is that there's no rationality
> within large organisations -- ultimately down to the establishment of
> trust via mutual automatic importing plain text files ("metadata")
> over the Internet and blindly trusting the content (endpoints,
> cryptographic keys) the same way as you'd be trusting your OS
> vendor-supplied CA trust store. And the admins doing those
> integrations usually have no idea what makes one integration secure
> and another insecure. Broken and/or misleading vendor documentation
> doesn't make this better either.
> I.e., in a general state of confusion, security theatre and bad
> implementations having actually secure infrastructures with non-broken
> software is outside the norm. And "No one ever got fired for buying
> from [big vendor]." aka doing what the rest is doing.
>
> -peter
>
> [1] https://en.wikipedia.org/wiki/Usage_share_of_operating_systems

Attachment: signature.asc
Description: OpenPGP digital signature