An open discussion list for topics related to the eduGAIN interfederation service.

[Guy Halse <guy AT tenet.ac.za>]

    Hi

On 2020/03/10 19:29, Alex Stuart wrote:

# Number of inline logos, registrationAuthority
 241 https://federation.renater.fr/
 153 http://rr.aai.switch.ch/
  94 https://www.wayf.dk
  88 http://aai.grnet.gr/
  20 https://safire.ac.za
    
    
    We're relatively high in that list, so I thought it worth sharing
    the bit from our aggregation practice statement that
      explains what we're doing:
>       To ensure the availability of
>         logos within the Federation hub’s user interface (and in
>         particular, on the user consent page) and on discovery pages,
>         the aggregator caches logos specified by SAML-Metadata-MDUI-V1.0
>         metadata extensions. The local logo cache is used to replace
>         logo URLs in metadata with their equivalent using the RFC 2397
>         data: URI scheme.
>       Only logos whose file size is
>         smaller than 50KiB and whose dimensions are declared as being
>         larger than 48 and smaller than 305 pixels are cached.
>     
    In practice we now also verify the dimensions explicitly and fix up
    the height and width on the mdui:Logo elements where they disagree.
    
    The original reason for this is really what Nick Roy said here:

On 2020/03/10 19:50, Nicholas Roy wrote:

      +1 - the only reason to allow them IMO is for discovery services
      that are incapable of prefetching them. 
    
    but also because things don't degrade gracefully when the original
    entities' hosted logo is unavailable. This is a bigger problem in
    developing countries where connectivity can be more unreliable, and
    where change control procedures are more lax.
    
    Nevertheless, we primarily do this for our own internal operations.
    If consensus is we should not publish them into eduGAIN, we can
    readily consider removing the caching from the eduGAIN feed.
    
    I have considered an alternative, which I may implement in future --
    rather than converting them to data: URLS, we could cache them and
    make them available via https:// from our own CDN (thus replacing
    the original URL with a new https:// one).
    
    - Guy

--
Guy Halse
Executive Officer: Trust & Identity Tertiary Education & Research Network of South Africa NPC Fault Reporting: +27(21)763-7147 or support AT tenet.ac.za
Office: +27(21)763-7102
http://www.tenet.ac.za/contact
https://orcid.org/0000-0002-9388-8592

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature