...
Change Proposals and Feedback - We welcome your feedback/suggestions in this table
If you have comments that do not lend themselves well to the tabular format below, please create a new Google doc and link to it in the suggestion column.
Number | Current Text | Feedback / Proposed Text / Query / Suggestion | Proposer | +1 (add your name |
|---|---|---|---|---|
| 1 | IdP expectations | I'd swap expectation 1 and 2 | Thomas Lenggenhager, SWITCH | Scott Cantor, Ohio State Maarten Kremers, SURFnet |
| 2 | IdP expectations | Add something like: The IdP only asserts faculty, staff and student affiliations backed by proper on- and off-boarding processes | Thomas Lenggenhager, SWITCH | Mikael Linden, CSC E Yurick, Gettysburg |
| 3 | IdP expectations #1 | The approach may work for staff, faculty and students but my experience is that even trustworthy IdPs have also users (industry partiers, library walk-in, ...) whose accounts are less secure and wouldn't have access to the key enterprise systems. To make #1 useful for SPs, maybe introduce a tag for the trustworthy accounts (to enable SP side filtering) or make it explicit that #1 applies only to accounts with eP(S)A=staff, faculty or student (c.f. the comment above from Thomas). | Mikael Linden, CSC
(NH comment: note it only says that the IdP must be trusted to access enterprise systems, not that all accounts will be authorised to do so). | Maarten Kremers, SURFnet
|
| 4 | IdP expectations | The word "institution" should be replaced by the word "organization" to be inclusive of organizations that operate IdPs and that are not institutions, such as LIGO. | Scott Koranda, LIGO | Nicole Harris, GÉANT Von Welch, IU |
| 5 | SP expectations | The 5th bullet on attribute requirements is probably a bit over-specified for contractually negotiated situations where specific data exchanged will depend on the customer and the particular relationship, and isn't usable ad hoc. Maybe wording allowing for "or as negotiated by contract". | Scott Cantor, Ohio State | |
| 6 | FedOp expectations | I would add: "The federation operator makes the trustworthiness transparent to the participants." | Scott Koranda, LIGO | |
| 7 | IdP expectations | The current POP (2008) states an expectation that IdPs will "provide authoritative and accurate attribute assertions to other Participants" but I don't see that covered in the text above. | Jim Basney, NCSA/Illinois | |
| 8 | IdP expectations | The current POP (2008) states, "Sending passwords in 'clear text' is a significant risk, and all InCommon Participants are strongly encouraged to eliminate any such practice." If this is replacing the POP, are we losing an expectation about IdPs not using clear text passwords? | Jim Basney, NCSA/Illinois | Mary Dunker, Virginia Tech |
| 9 | SP Expectations | The current POP (2008) states, "InCommon strongly discourages the sharing of that data with third parties, or aggregation of it for marketing purposes without the explicit permission of the identity information providing Participant." Are we losing the expectation that data will not be shared with third parties? | Mary Dunker, Virginia Tech
| |
| 10 | IdP expectations | "The IdP is trustworthy enough to access the institution’s own enterprise systems". I'd make this mor affirmative and lose the "enough". "The IdP IS trusted to access the institution's own enterprise systems". | Nicole Harris, GÉANT | |
| 11 | IdP expectations / SP expectations | The wording around the security part in the IdP section and the SP section are very different - the IdP only has to "treated as an enterprise system by institution-level security operations" but the SP has the specific expectation of an incident response plan. Better align these. | Nicole Harris, GÉANT | Von Welch, IU |
| 12 | SP expectations | Attributes required to obtain service are appropriate and published - does this need a qualified "in metadata" after the published? Do we need a supporting 5 in the IdP section around IdPs publishing tags for support attribute release approaches? (I like balance, it's an OCD thing). | Nicole Harris, GÉANT | |
| 13 | IdP expectations & general enforcement strategy | I appreciate the careful craftsmanship of the requirements. Here is a general question by way of example related to certain types of IdPs. InCommon has guest IdPs and also test IdPs in metadata. Should we assume that we want to continue to support these types of IdPs for the community? A section on compliance and enforcement would be helpful. For instance, if one of these special IdPs does not conform to one of the four baseline criteria, will the federation operator tag it with a "hide from discovery" tag or remove the IdP from the metadata aggregate? Once we wade into per-entity metadata, what will the enforce technique look like? Publish with/out a tag or not at all? The federation community has been discussing whether the Federation Operator shold be more prescriptive and act with a more direct enforcement practice. Should this be documented here, or in a companion document (e.g., the FOP)? Will each FedOp have a different enforcement practice or a common expectation on behavior? If different, the FOP would be the best location for practice. If commonality is desired, perhaps this document should contain the enforcement practice. (Added at Ann's request.) | John Krienke, InCommon/Internet2 | |
| 14 | Claim & Frequency | Should we assume this claim is self-asserted by the entity operator? Being explicit about this would be helpful. How often should baseline expectations be asserted—annually? What happens if an entity operator forgets to reassert (another enforcement question)? There were decisions made in the Assurance program's documentation that could be helpful to contemplate. | John Krienke |
See also:
InCommon Assurance Call of Nov 2015 on Baseline Practices
...