Trust and Internet Identity Meeting Europe
11-14 Feb 2019: Workshops and Unconference

Session 29 Trust by SNCTFI

(David Kelsey)

Aspects :

  • Data protection?
  • What ideas do we have to how we assert compliance with this policy?
  • Won´t want metadata. Maybe we need some trust mark (self-assertion, Peer-review, how do we assert/register/publish it

Data protection

  • –Code of Conduct (CoCo)-session from yesterday
  • –May 2018
  • –Scope of the CoCo was about attributes from the SP enabling access.

Proposal :

If it is possible to expand the CoCo so it includes these aspects.

A lot of the entities are not exposed into the federation. Why not include the other AA into the CoCo.

There is a monitoring entity which controls if one entity is in the CoCo.

The initial approach was that do only something if someone complains.

Does it have to be pro-active?

If you are serving services to European citizen, then CoCo applies.

Assumption about SNCTFI : With the CoCo approach there needs to be an extension. There are some processes and outcomes needed to come to an understanding. SNCTFI does something about that.

If you subscribe to CoCo, you can do legally everything it allows.

If you process data from Europe or a citizen who is in Europe in the US you have to subscribe to CoCo. Are there any conflicts to CoCo in Illinois?

Is it worth to have the discussion about CoCo for SNCTFI?

We are not writing something down to exclude some of the federation.

Both parts of CoCo apply to the proxies. If you got Attributes from another Authority you have to process them in another way.

Do we need an agreement for CoCo from ever SP-proxy?

Yes, we have a procedure to follow. The proxy can never sign a CoCo if some requirements aren´t met?

We need more discussion with the CoCo-people. It would be good to have this use-case covered.

How to do (self-) assessment, and where do we advertise the fact that we got this?

We mean Assessment of SNCTFI. How does the proxy or the research infrastructure know, that every proxy runs with SNCTFI?

If you hide the fact that you are a proxy in CoCo you are fine?

One of the things we did was to say that we don´t trust proxies. We don´t do that anymore.

If you are an R&S it is the easiest way to get attributes.

Entity-Category

Do R&S and if there is CoCo too, then that too.

They want to have a service level agreement that the others don´t have.

Part of the solution is to add more categories?

I don´t think that adding another category is a good idea.

Categories confuse the IdPs. I rather see another wrap of R&S that says "if you are a proxy than go over for SNCTFI and then come back"

The entity-tags are not the issue, but they are not flowing?

For now we are not rushing for another category. Some advantages, but we need to discuss it further.

We would go with self-asserted compliance. Do we know start to think about where we also can register?

What research-infrastructure do we suspect?? Many.

Deploy a proxy for 65 people. They all have the R&S-tag. I think you have to consider the much smaller groups. It is spread across 3 different countries. I don´t want it just to be for LIGO.

Interesting question how to peer-review small ones.

Participating in a peer-review process is very time-expensive (including travel-costs).

Maybe there is a larger community who wants to peer-review for them. Maybe an SP would be agreeing to make more peer-reviews.

Reviews are to certify trust-marks.

For Phase 1 we should just do the self-assignment.

SNCFTI-Document will look like a certifying document.

As an organization I would not say we use CoCo if I'd not know if everyone applies it.

Agreeing: Self assumption, pubic webpage.

SP are running by research-infrastructures.

There is much work about protecting attributes and what people do with them. We need to be sure about trust. Why is there so much protection?

Certifying is unrelated to the attributes (part of SNCTFI). R&S = we tag an SP so we do not send to SPs we don´t want to.

David will summarize this session at the summary session.