Trust and Internet Identity Meeting Europe
5-6 Feb 2018: Workshops and Tutorials
7-8 Feb 2018: Unconference

TIIME 2018: Facilitating Non-Legal Entity VO Access to Federations

(Benn Oshrin)

Ben: Are there any other approaches to facilitate the process except for the one being currently used, going directly to the university? An umbrella company for example that the viewers could join and that would be the legal body that would sign then the agreement.

Peter S: Why do federations ask for this kind of liability contracts- the need for a VO to be a legal entity- in the first place? Sometimes you need that to push this liability to another entity, like some sort of insurance. Have you looked at all federations and made sure they all require this? Can you not join one?

Matthew: How does making a new legal entity fix anything? There still has to be some legal relationship PeterS: It does because the new created one holds all the liability in this case.

PeterS: now the association owns the LSE

Ben: if we assume there is a legal entity that works for the joining process and it doesn’t disrupt any processes. Peter s : the adding and the joining model though requires more positive than negative voices and there is yet to be an example where that has happened

Ben: If all the IDP and the SP are in different federations is that going to be a problem? Scott: I don’t think that is important really. We still have attribute release problems either way

Barton: We could also look at the option of an existing federation taking in non VOs. There are places such as the University of Chicago that take risks of such kind. It absolutely needs inside connections to reach that though.

Scott: What i worry about is the amount of effort for that option compared to the effort of making an entity itself VO FED The other thing to keep in mind is the amount of money needed for the liability insurance. It is usually a very high amount.

Peter S: How many are currently suffering from this issue? Federating identity?

Scott: As soon as you get into the scale of a LIVO??? You will face the problem. So many of them

Peter s : It is however a good thing that you cannot make the liability not be there at all

Burton: yes and my point is the costs of the process, how to minimize them

Ben: Caltech for example signed the ligo agreement for employees which are not even part of Caltech and it was a mistake for them for sure. They regretted it being able for these people

Heather: It is also important to note that this varies on the administration of the place at this moment in time.

PeterS: You are exposing only one SP for the federation process but actually you are interacting with many legal entities behind it? Ben: if we consider ligo, let’s say it only has one proxy, one SP. Caltech is the entity that should be responsible for it as a legal entity so shouldn’t it be enough for the federation that Caltech is in the federation

Peter: Your liability for any attribute should be strictly limited within your purpose of use for this attribute the way i see it

Burton: i would just buy the insurance in this case and not worry too much of it because the risk of being attacked is smaller than in other ways It is however a trust infrastructure and you would not allow the wrong person to mess with metadata.

Ben: so when LIGO buys something who funds it?

Scott: Caltech

Ben: then how is federation any different?

Scott: Caltech doesn’t object to publishing an sp in ligo’s behalf ( it will take a while time wise) but there are real benefits being a direct participant federation wise

Ben: but you are then asking any library to join the federation on their own. For me that is a workaround to a failed central IT then, without fixing the real problem

Scott: if we are getting back to LIGO, after deploying the proxy there is the step of accessing the federation, which goes through the university and AAF which did not allow it then It might also be a problem of inter institutional communication. The fundamental problem is that universities in federations of the kind should live to support research but they in reality don’t.

Burton: does the university provide all the networking right now? Scott: yes, there is a fee also for it but the issue was the required release of attributes outside of Australia and i was paused for months for that reason

Peter s : the problem should be scaled down to one SP, sitting inside each federation.

Burton: sometimes the reason for this whole process not going smoothly is not bad intentions but lack of knowledge.

Scott: i think the VO federation is a workable model. I used to think it could be a volunteering process but i don’t anymore.

Burton: after all the math is done in costs, i think it should be multiplied by 2 or 3 just to take into account all unexpected events.

Ben: Affectively one person in the VO has to sign still Peter s: you just make one legal entity that signs for one sp. shouldn’t be more complicated than that.

Scott: there is the SATOSA example close to it. The product is ready but now a legal entity is needed to cover the legal issues and contracts

Summary of options proposed: 1. “VO LLC”, a company set up to join a federation on behalf of non-legal entity VOs 2. “VO FED”, a federation of VOs that joins eduGAIN 3. “Benevolent Patron”: Find an existing member that is willing to play the role of the aggregator - Could this be an entity like InCommon/Internet2 or GÉANT?

  1. But there are real legal entities involved in all of the VOs (e.g.: LIGO people sit at say Caltech), can’t the real entity do stuff on behalf of the VO? e.g.: Have CalTech publish SPs on behalf of the VO
    • But then subject to Caltech (potentially lengthy) processes, and the VO can’t participate directly in federation stuff