edugain policy comments

[Andreas Åkre Solberg <andreas.solberg AT uninett.no>]

Comments from me personally. Not neccessarily representing UNINETT as an edugain member.


In general

No references to saml2int, or any other saml profile.

Nothing that says that eduGAIN have to do with WebSSO. Nothing that says that providers should use SAML 2.0 over ID-FF1.2, is it?

Who is reponsible for the content of an Entity Descriptor in the metadata; the provider or the federation. In example; if required contact persons are lacking, who to blame?

- eduGAIN declaration (joining federations sign)

> It will provide such documentation and agreements as may be necessary to 42	demonstrate compliance with eduGAIN’s basic level of trust and, where appropriate, such 43	documentation and agreements as may be required to support enhanced levels of trust.

What is basic level of trust?

- eduGAIN constitution

Does "daily technical issues in eduGAIN," involve running, developing, and fixing bugs in the MDS service?

From what I can tell, eduGAIN is open for both lower education and e-gov and commercial providers both in and outside Europe? Is that correct?

Metadata profile

Includes MUST include new stuff that AFAIK noone is yet using; such as MDattribs. Will that delay federations joining edugain? 

cacheDuration of minimum 1 hour is way to short. If it is common to pull metadata once an hour, I would say 4 hour validity is a minimum. To allow a 4 hop metadata relay without expiration.

'DisplayName' element is mentioned. That is not part of SAML2Meta, where is this defined?

Profile allows the use of non-oid attribute names 'otherwise other URN formats may be used.'  Why not require oid only?

Profile say MAY use RequestedAttribute. I would say MUST or SHOULD. There is no alternative ways of handling ARP, or is it?


Metadata terms of use

> “Identification Tag” means an XML tag in the metadata that identifies the Registration Practice Statement under which the Metadata is published;

Which tag?

> Your use of the Metadata is entirely at your own risk. Nothing in these Terms 525	creates any liability on the part of the Registrants, the Registrars, and the Signer. 526	Without limitation, neither the Registrar nor the Signer is under any obligation to 527	inform you in the event of any changes to the Metadata or, in particular, if a 528	Registrant ceases to be subject to the Registration Practice Statement.

This is basically stating that we (edugain) will not guarantee anything? Use at your own risk.

> in accordance with the laws of England and 551	Wales.

> The courts of England and Wales will have exclusive jurisdiction over any such dispute or claim 554	although we retain the right to bring proceedings against you for breach of these conditions in 555	your country of residence or any other relevant country.

Would it be reasonable that the courts of England and Wales have exclusive jurisdiction over any dispute between in example spain and netherlands?

edugAIN attribute profile

Should be specified how SP signal in metadata that it needs a persistent identifier..

No reference to MACE-dir profiles.

data protection profile

> 715	Before releasing the end user's Attributes to the Service Provider for the first time, the Identity 716	Provider must provide the Service Provider's clickable privacy policy URL to the end user.

Who is responsible for making sure that the identity provider do this right? The federation or the idp themselves?

How many federations do we think will support the data protection profile?

Andreas

Attachment: smime.p7s
Description: S/MIME cryptographic signature