Trust and Internet Identity Meeting Europe
Feb 2020: Workshops and Unconference

Policies for BPA-based proxies

(Raoul Teeuwen)

(BPA: AARC Blueprint Architecture)

Graph of the AARC BPA based proxy structure

Raoul: In the Netherlands we pilot an AARC BPA based proxy, trying to get experiences from users. Getting the policies in place. We are looking into it right now and we started drawing a picture of all the parties. The federation operator running a proxy and we are offering that to research collaboration that are Dutch or Dutch lead. We are trying to find out what kind of parties we have connected, we have the national EU IDPs, but also, we might have to connect non-EU IDPs from the Netherlands, maybe they need different policy set. Apart from the Netherlands of course we need the EU IDPs and within the EU we have the non-EU as well as well as US and China, and non-Edu and non-EU ones. For LDAP connected SPs you can’t do that. On the tech part you have a diff there and maybe have to cover that in the policy, openID connect, and what kind of non-Dutch SPs can we connect, and we have to have eduGain and saml eduGain SPs for now. We are trying to leverage existing stuff, geont code of conduct, SIRTFI SNCTFI. Who is the controller in this process? COO?

Raoul: I think it was released a couple of years ago.

Uros: As a training it was released a month ago, the kit is half a year old.

Raoul: What I need is any experience in the matter to not reinvent the wheel.

U: It’s exactly for that. From AARC was to create a policy kit that people could use them to connect, for the purpose of providing access to people. If you are trying to provide access to people, started from SNCTFI, addressing the main areas, data protection and users. The kit is SIRTFI, CoCo. From GDPR you need to have a privacy policy and explain to people what you are doing. Do all SIRTFI points, RNS is there is because of SIRTFI, for traceability. The problem is that you shouldn’t do what it says.

David: The dev kit provides templates to fill in the blanks, enter params. The policies themselves are BlueSky resources. A couple of clear realizations behind it. Data protection of data that resolves from your use of infrastructure, not what is inside of it. The other thing, basis for the EUP that whatever is done here is for identifiable purpose. That saved you a lot of work. Typically, there are terms and conditions, 8 or 9 pages, but the thing that you want is to only use it for this purpose. Instead of trying to describe the unacceptable uses.

Uros: A lot of policies, what is acceptable login, incident response, ship management stuff, registration processes, how the research community manages these processes.

Raoul: Would you say that the org is working to this policy?

Dave: we use it for the EOSThub. If we use the old EGI policies. Because we do it according to these standards, people are happy.

Uros: It’s not branded by anyone. Unbiased community where everybody has a representation. Everybody has a saying, and everyone can see it. He tries to provide as much as data policy that is provided. Consider this standard at least. At least use rough framework. EDU team also uses the same thing. We also did the work for the EUP to have a coordinated approach from infrastructures so that when we have this multiproxy scenario where users don’t need to accept from every proxy. Community needs to add only the additional points. AUP has 10 commandments, how do you apply it to a community-first scenario. Which bits are off-limits?

Dave: We believe we are in the multi-controller situation, the community manager is a controller, each service also owns the data. Recently that the code of conduct would be quickly agreed and submitted. Now that it’s taking too long, we will see what we will do.

We could do it by contracts where the contract is between the individual and their IDP. It doesn’t have to involve the service. The n of user’s contracts. Contracts are already in place. The IDP is showering data with service providers. The same way that university will share the details with a hotel in the US to get your room booked.

David: You must be able to do your work.

Dave: I don’t think it’s in the contract.

The personal data is a necessity to perform the contract for you doing resource work for your employer.

Uros: That’s why you want the RNS. There is a UP that is covering that scenario. If you do something wrong, you are reliable. It’s not us it’s how we convince them. Dave; Researchers like to publish their names published, they don’t want it secret.

The French data protection released a table, what is the effect if someone has your email. The risk is for them as well. The Dutch institutions are not worried about the attributes released to authentication. Maybe I will get a bill and I don’t know where to send it.

Jim: What is the relationship between SNTCFI and the policy dev kit? Uros: The kit is the solution to the requirements of SNTCFI

The intention is to make it as SCI compliant. It’s not done. The sustainability model will be handed to WiSa. Most of the infrastructures are in WiSa.