Trust and Internet Identity Meeting Europe
17.-20. Feb 2020: Workshops and Unconference

Future of Federation

(Thomas Barton)

Convener notes: https://imgur.com/0LwXEES https://imgur.com/n8Xaia8

Convener suggested three categories to get people started: L: lessons learned H: things that should happen F: future scenarios

Assessment and peer review, what all communities are used to

Thomas: Against using audit? With peer review in the research community we have what is absent in commerce, to the academy, thousands of organizations that help support, asset that can be leveraged to build trust and infrastructure, in that environment is external audit, is that appropriate?

D: Combination of all is the alternative to audit, when you add audio for common trust, and we know the outcome of that exercise

Przemek: This trust isn’t going to be somehow inter-operable with the real world is it in living in the silo of your profile, can I transfer my trust to you to the platform and back? Because it affects the privacy.

Raoul: It’s definitely open, a two-word society.

What peer review is suffering from is independence how do you get ground funding, this is why you have to add independent review peer review gets you trust inside the bubble, independent review gets you trust outside the bubble, if you work on this is that using the word audit carries other problems, it implies liability, what you have in audit and what you don’t have in peer review is the independence between the auditor and auditee.

The bubble is what you have an existing relationship in the RD community in the euro space community what needs to exist for it to work, that adds to trust but it makes it harder for somebody outside of the context.

T: I started in the bubble and I refer to that in terms of the academy, that asset only extends in that bubble, do you think it’s going to be important in the future for these federation systems to cross bubbles and hence require more independent review.

We do that sometimes, we do it in EU for citizen interfacing things for IDASS

L: That’s going to be certain bubbles that expand to a certain point that they interact, the eduGain bubble is something that means something now, there is a founder demand, why aren’t you talking to that why are there two of these things?

My question is, it goes into greater complexity and how the evolution of the systems goes, what else do we need to have to address that well with time as we encounter bubble?

We need to go to David’s session of mapping.

Reoul: Federation is about bubbles, what we have is friction between bubbles, what it needs to be for authentication and the fact that some people aren’t in a bubble, so they can’t access how to authenticate in a certain federation, or they are in multiple bubbles and that is confusing the hell out of everybody

Albert: inCommon or federation my question is: this may be a US thing than an EU in my perspective the federation has largely focused on establishing a footprint on the IDP side, more effort towards establishing IDPs, how do you feel about the bubble of the SPs that fend for themselves

Laura: my university trusts your university and it confuses me and I don’t know what that trust is, the technical infrastructure is worthy of accessing my infrastructure, when we have more last resort IDPs, it can make other established trusts irrelevant

Reoul: they said we have all of our identities on the Microsoft platform, we are working just fine, why do you even need…?

L: Internally, they don’t, but that’s the right question to ask, what unique property the answer is bad news for IDPs of last resort and they are about authentication, as a value it’s gone in the next couple of years because of …. there is still value to be provided by an IDP, you provide some trust in identifiers that you bring to an SP, an SSO, that is no longer going to be a selling point in the not too distant future because of WebWolf.

Laura: from a SP perspective is the sign that works and no attribute, tons of loops and if the answer is attribute exchange, we need to start talking about that.

L: I think the only thing that current federations are made up of mostly, that’s the only value, the emails and identifiers is uninteresting, the only you have is what you have and not. The future of federation is more about identity linking than about anything else.

Scott: What federations also bring is the scalability across many IDPs, we need to scale efficiently across many IDPs, the problem is that even though at the fed operating level, attribute release is a good idea, but it doesn’t make it down in the practice.

Albert: What I look at this is I have a hard time convincing that I should focus on that when there are student services and we are talking about bubbles, that’s this weird intersecting bubble, what we are not getting as an IDP operator.

Leif: We wanted to try to create an incentive for universities to participate in order to get access. The only way you can solve this problem is to create the right political incentive. In US the pressure or the resistance is not on the IT side, the resistance is on the data storage the employee HR that have to deal with data management issues, that’s when you run into blocks.

Scott: The scalability is huge though, I don’t know any projects that don’t have IDPs in more than one country.

D: Frankly that’s not a mission of the organization to enable resources, why is the university on this planet it’s the same problem that the Dutch have.

L: I don’t think the argument is tried, university your DPSs if you can make the research relying parties to sound like one thing.

R: we tried quite hard to get IDPs to have only ones who said yes are the research institutes and NGR and that’s it.

D: That’s also because as a federation operator you take your guidance from the IDP if you join the federation you shall release these attributes.

R: but we are owned by them

Thomas: They are saying that there is an increasing with from their CIOs so that was just really surprising and encouraging.

David K.: we can lobby them, if you want the grant money, you have to do this.

Pieter: Lesions learned, what doesn’t work is to tell IDPs that they should release their attributes, there are roadblocks and they just won’t do it, but we can build tools that make it easy for them, the problem lies elsewhere, it’s not a technical problem.

Albert: why wouldn’t we tackle that? By that I mean why wouldn’t we work on creating guidances for universities.

P: It’s part of telling them what they should do.

L: The problem is that there is no feedback loop from the researchers to get the access, if we could create a loop from Scott’s experience. That’s how you do it. Right now, Scott does this with me, has a researcher in Sweden and we loop them back. You want to redirect that energy at the moment.

Thomas: it seems like we can move the need to change the IDP practice to the federation telling what to do but the members holding themselves accountable. We will see how far they want to take it

Albert: circle back to Lauras point, RNS is confusing as heck unless you’re a part of this room, that means nothing. It doesn’t resonate, if you have to spend 20 minutes explaining what RNS is, you lost them.

Laura: we spoke about attributes that are resonate, but there are research communities that are in the process of creating their own set of attributes. Extendable attribute framework…

Pieter: authentication from each other, that would mean that the auth the institution is out of the loop, they can’t block authentication and if you reduce their roll by giving the attribute to that person that the user can prove she is a part of a university, that would put the user in control

A: That’s interesting. From an IDP operator side, what we look for is information, which belongs to the person and the university is the steward of the information. The individual cannot self-assert.

P: The university can give the assertion to the user. I got the paper slip that I am a student of the university. It’s exactly the same thing, you only make it digital

L: You don’t just simply make stuff digital.

Laura: what is missing is the identity if a person has a degree, they may no longer have that identity

A: I am hearing three parallel threads, there are varying attributes, RA21 keeps coming in my head, information that closely emulates RNS. In my head, they care about certain things that the RNS may not care about. The common thread is about the attributes.

L: We were never able to make it so, regarding WebWolf, it doesn’t matter what we do, and that timer is expiring in two years and in that point, you can do what you want with those attributes, if they are not getting to you by that time there is no reason for anybody to link

Thomas: There is something that has to happen.

P: Your talking about authentication for researchers, related to education and business processes to the education, we see no problem there, there is a clear feedback loop in the organization in the financial dept because the authentication doesn’t work, that is fired immediately. It’s a driving force to enable outsourcing of lots of these applications. It continues to work.

Chris: I want to come back to the idea that we have talked about the research aspect the librarian doesn’t want to release the attributes to the publishers. They don’t want the publishers to do know who is doing the research. I know that there is a lot of stigma associated with it.