Trust and Internet Identity Meeting Europe
2013 - 2020: Workshops and Unconference

Baseline Expectations & How to measure baseline for federations

(Tom Barton, Niels van Dijk)

InCommon’s program is effective at increasing the value of federation. What’s next in the US and internationally?

INCUBATOR PROJECT

There is an incubator project. Six months period engineering effort has been done. Status for eduGain is not very good. You need to do many things manually. ECCS: The eduGain status check tool. It essentially pulls all the data it can examine. We want to capture these data. And the baseline, if you don’t know the status than… it makes no sense.

Q: How far back in time do you need to go. ? A: Well, for now, we will just start from now, but in the future it would be good if we can get the historical data. ATM we only have current data.

BASELINE (EXPECTATION PROGRAM)

This is an idea generated about four years ago. There was a lot of effort trying to beg federation’s members please update the metadata please/ contact information, please do certify, please do RNS. There was a big debate about what all federation could do and take more responsibility and obligate people to do more.

So what would be the expectation?

There are 4 or 5 statements for each identity provider operators, service provider operators, and federation operators.

For identity providers like they have to be operated with institutional authority. You could well use it for your own internal authentication purposes like e- thoro.. etc

General security practices are applied to the operational identity prover and something about publishing. For service providers there is also good security and contact information but also there are some things about only using impersonal information for the purpose of sharing it. For the federation operative it is about promoting this kind of thing and using good security practices in its own infrastructure.

Those are the expectations. We should move this into the contracts for each member. We should move from expectations to requirements. We need processes to help everyone get there. And to resolve questions like how one should get there or when.

We want to raise the bar a bit. Federations have to get into this particularly defined process to get all the communities to agree to hold themselves accountable to this standard. The whole idea is that there is a contract that the community is holding itself accountable for doing this to take it as far as they can go.

There is also a discrete resolution process with multiple steps and everything else. And as things come up for variate of reasons they do, there is a way for all community members to raise a question to her and know there is a defined process that will produce results. There will be an investigation with its stages and finally, Chicago will be compelled to deal with that and ultimately you kick out that entity. That is sort of general program. …where the focus was just on the metadata, getting contact information, but 5 or 6 thousand entities and around a thousand organizations. That was a big job and big customer support work. It does not look at all like compliance activity. It is all about reaching out to good contacts and helping them to do stuff. Because they have not tried to reach out the invest grade before, lots of the contact information went missing for that entity. Not just the metadata, but also for the main customer’s contacts We spent a lot of money going through contacts and refreshing all of the members to be able to continue the campaign.

Then we developed software for measuring things in terms of which entities don’t have or are missing technical admin for security contact and which MDUI element s were missing or were wrong.

At the beginning of this process, we found out that around 15% of these 6000 entities that have mapped metadata required about contact info.

Then in 12 months it went to 100%.

Q: Should institution A know what is wrong in institution B. A: It was not named and shamed. We want to be helpful and positive.

Q: Transition from expectation to …? When you are starting the process you have this big US statement of federal executives. Did you gather that information and…then try to level the landscape for each of them and bring them up to some standard and say in some point ok this is not our expectations? Was that a process. A: Operationally it would be rather easy to. The hard part was not the changes, but it was getting the program to set up, getting fresh contacts for the site administratives and executive administratives, getting the technology to start. All of that stuff was new.

Q: So you addressed statement for statement? A: yes statement for statement, not all of the entities.

Next step would be community consultation process to agree on that. Then we engage with the income and operation step for all the support. It probably means with the end of this year we would start working with 1000 members.

They want to have support for signaling about MFA. Not to require MFA in terms of login but for SP being asked “Give me MFA” and they can either respond they have it or not. There is also some other UI stuff. There is also interest in https /tls channel encryption being sufficient, the channel security.

All agreed, in time all should go to the baseline, but not at the same time, not in one step, because many cannot do this because they use could service and they don’t have skills. We don’t want to tell them to stop using that and go back to open source. Instead, we are going to bring them identity providers as a service. Until it is complete operation there are few choices. So some of them will wait for that reason. As the composition is going out, the internal community will be ok. We are going to take about a year or so and deal with channel encryption, the channel security certify…

Q: So now you have the baseline for correct metadata, and if somebody does not have it? A: It is no longer possible to submit … It has to stay 100% structurally.

Q: Technical issue…Do we have some kind of issue regarding test entities? A: Test entities too. The baseline should apply to every entity including test entities, with no exceptions. There is a better place for that. We are creating test federation.

Q: We have many entities which are registered, but we don’t have a way to decide that entity is test entity. A: I am not close to the table for new test federation. I am also worried. It is hard to address this problem… We have amazingly positive feedback from many research-server providers. Not because the information was the most valuable thing, well it is valuable but they see in common the largest federation is trying to do better and improve their value and they know there is more to come. They will keep doing this periodically. It is a safe composition to rely on the economy delivering reliable quality transactions which is great. It is great that one federation is doing this, but we want global federation to do this, but we are 50-60-70 different administrations. That is the challenge for international baseline. The EduGAIN might be the point to apply some enforcement.

So exactly, the discussion is, should the rest of the world take the baseline and continue, or to change it and make something different.

How can we get this thing moving? What should be responsibilities, should EduGAIN do it?

What about the cycle time before they do it?

All the discussion to run all that, and I would need your feedback if this is good, or should we do something better? Is it feasible? Do you know anything about your local federations, are they ready? A: Wolfgang mentioned coming from DFM, he wants to push everyone to do reference insurance framework even in DFM. He was interested in using entity category saying that he as the federation operative agrees with reference attributes released from the particular attributes, because it seems like some of them would be ready to be untruthful let say. Even having everyone committing is huge progress because I am not sure how easy that is going to be for the entities inside DFM. I assume it is kind of complicated because not all of them are not doing now certified RNS. Even KIT IDPs are not doing RNS. That is my big worry. For RNS how it is going to work? For certifying it may be easier because it does not include any personal data or it may include in the internet response procedure itself. GDPR cuts that up. We need to convince them it is not an issue. On a global level, it should not be an issue.

The HadFoot probably requires communicating since it took 3000 man-hours to do and…

It is for a very large federation, but so it is a huge effort indeed.

It was a big job to re-establish proper contact with everyone. That was a long process. There are a handful of organizations that took much longer. A lot of individual handholding ….

No one left for that reason. We didn’t know if we are going to kill the income federation while trying to make it good. We took the risk.

What defines a good transaction? Having proper information to the user what the problem is would be huge information in UI and user satisfaction. Mostly the answer is “I cannot log you in” and that is it and they are like what should I do now?

Some of the working groups are just starting and they are asking how they should use the IDPs. They are going to make this idea and see if it works out.

There was a poll recently asking should the DMFA or SFA be their own standalone entity category. Their response was, I don’t know. On one side we know the problem of pushing entity categories on people because some federations are not capable of doing it and that is the problem. On the other side, what would that mean: So I am capable of doing MFA but am I doing the MFA? It is good practice to have MFA and it is must-have and how does that work?

Would it be worth to talk to big federations firstly because they would probably be capable of doing that? After they achieve this baseline we agree on and then the small federations might join.

The problem is: people change and new people have no clue about standard operative procedures… These are all going in direction of entropy of federations. We have to go there, or we lose them and entropy lives.

Q: Are we talking about federation as a service? A: This is a federation service.

Reducing the number of main actors would be solution so that you can somehow find out the agreement of that many entities that have the responsibility of many entities. People would be much delegated to use these major entities.

For smaller federation with less capability, they have still the relationship management, policy, members. Maybe that would just defeat the argument, we will change it but how to change it?

I hope there will be another feedback. As a higher percentage of global EduGAIN we have higher quality.