edugain-discuss AT lists.geant.org
Subject: An open discussion list for topics related to the eduGAIN interfederation service.
List archive
- From: Nick Roy <nroy AT internet2.edu>
- To: Peter Schober <peter.schober AT univie.ac.at>
- Cc: "edugain-discuss AT lists.geant.org" <edugain-discuss AT lists.geant.org>
- Subject: Re: [eduGAIN-discuss] reference for expired certificate warning
- Date: Thu, 21 Nov 2019 16:26:07 +0000
- Accept-language: en-US
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=internet2.edu; dmarc=pass action=none header.from=internet2.edu; dkim=pass header.d=internet2.edu; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=QEW7YSdmJM4zI9536XtD+3sjxnLqWupOXNxaNF3fLTU=; b=JnHHpQ6vgzGdkFrgsaHHH8ggWwnZFRCA8Xjp9PizwnOfhhH2alXnyCCONapgbxf7G/8kL8XzU4ueyIc56+VnaC/nwpRtGxwKeXUn88iRNyt1fJTlB3SDiXYf90Gm7p/TBb6sLHBOFZCfkGWUbunq9y1NMkXZLxWp492mAXSoJtpFLAtzkyPZJxiwDovRu584+VeKar5s75NfpR4OWnXhQ+/BeGUzV3XXrxB2BJ9avoBIlbFH8YKOYm8iswWUqOgFsJCNWCMboWxZND+m2qx77UTKpTOYeYaPtawiHPJ6OWTUp86YZ0EvqJGkY1+BwJygy/fLyauCXuZJVu7+runaqA==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=NG34HGhzYIC0tTQXp7QAv3BLTBgRvsWRZ/YxfMRkGnluoKgrT6pyhDRszUWbE+QYELpN22zC2HzVMVnyhV8SPhixfx4+AGxAjVnDWcZlC/NBPh6Hw6Mq0y5sqQI06TtnRYouVJ3mCCSXmR+UJeWV76XNbbwaEpHu7PB//Y3PQY2rUfBPwxdXd/MUpTDR8AtQzgLJvAg/gWwktlk6svemHSpIRcb7XXro4mFfsfLI1+qeuOAoDI8CpGvrRdNfcVYw2G4ktV2N8WvFTRhT5kjdTnoc/9HUU4XJtTPDrqsKmQULES6JlYAJSClXhXYQ2V3d8VtKwCrulRTReYElPZh0eg==
- Authentication-results: spf=none (sender IP is ) smtp.mailfrom=nroy AT internet2.edu;
Peter has said this more eloquently and precisely than I ever could. I agree
fully with what he’s said.
Nick
On 21 Nov 2019, at 5:21, Peter Schober wrote:
> * Guy Halse <guy AT tenet.ac.za> [2019-11-21 09:26]:
>> Thus from my perspective, ADFS is something I have to learn to live
>> with if I want R&E federation to succeed here. Given the choice
>> between living with ADFS's quirks and abandoning the idea of getting
>> R&E federation working, I'll choose the former.
>
> At least in our community they'd rather follow our documentation to
> get a system integrating with the global community, that's
> significantly more powerful while also being lower in maintenance
> (because it's maintenance of the software/system only, not of each and
> every trust relationship), even if that means having to deal with
> software they haven't used before. YMMV.
>
>> What that probably boils down to is that Microsoft are good at
>> marketing; we are not.
>
> Make that "vendor lock-in", not (merely) marketing: From the PC OS
> (which they still own[1]) with its broken clients ever expanding to
> your data center to hosted servers and services.
>
> But that's not even the point. This is: If our offerings
> (multi-lateral federation) are not simpler and more secure and better
> scaling than the alternatives (manual, bilateral trust relationships)
> we have nothing to offer, really.
>
> (Not that I've personally ever met anyone who preferred establishing
> and managing trust relationships manually even if that meant keeping
> their pseudo-familar GUI software, but again YMMV.)
>
> As is the case so often the problem is that there's no rationality
> within large organisations -- ultimately down to the establishment of
> trust via mutual automatic importing plain text files ("metadata")
> over the Internet and blindly trusting the content (endpoints,
> cryptographic keys) the same way as you'd be trusting your OS
> vendor-supplied CA trust store. And the admins doing those
> integrations usually have no idea what makes one integration secure
> and another insecure. Broken and/or misleading vendor documentation
> doesn't make this better either.
> I.e., in a general state of confusion, security theatre and bad
> implementations having actually secure infrastructures with non-broken
> software is outside the norm. And "No one ever got fired for buying
> from [big vendor]." aka doing what the rest is doing.
>
> -peter
>
> [1] https://en.wikipedia.org/wiki/Usage_share_of_operating_systems
Attachment:
signature.asc
Description: OpenPGP digital signature
- Re: [eduGAIN-discuss] reference for expired certificate warning, (continued)
- Re: [eduGAIN-discuss] reference for expired certificate warning, Leif Johansson, 21-Nov-2019
- Re: [eduGAIN-discuss] reference for expired certificate warning, Nick Roy, 21-Nov-2019
- Re: [eduGAIN-discuss] reference for expired certificate warning, Nick Roy, 20-Nov-2019
- Re: [eduGAIN-discuss] reference for expired certificate warning, Nick Roy, 20-Nov-2019
- Re: [eduGAIN-discuss] reference for expired certificate warning, Thijs Kinkhorst, 20-Nov-2019
- Re: [eduGAIN-discuss] reference for expired certificate warning, Peter Schober, 20-Nov-2019
- Re: [eduGAIN-discuss] reference for expired certificate warning, Tomasz Wolniewicz, 20-Nov-2019
- Re: [eduGAIN-discuss] reference for expired certificate warning, Zenon Mousmoulas, 20-Nov-2019
- Re: [eduGAIN-discuss] reference for expired certificate warning, Guy Halse, 21-Nov-2019
- Re: [eduGAIN-discuss] reference for expired certificate warning, Peter Schober, 21-Nov-2019
- Re: [eduGAIN-discuss] reference for expired certificate warning, Nick Roy, 11/21/2019
- Sv: [eduGAIN-discuss] reference for expired certificate warning, Pål Axelsson, 21-Nov-2019
- Re: [eduGAIN-discuss] reference for expired certificate warning, Nick Roy, 21-Nov-2019
- Re: [eduGAIN-discuss] reference for expired certificate warning, Nick Roy, 21-Nov-2019
Archive powered by MHonArc 2.6.19.