...
Richard proposed to continue with Martin’s comments and to address SATO comments and said that everything in green is what has been already resolved.
...
Martin comments:
- Comment on Row 74 - agreed.
Martin comments:
- Row 91 extend it. Add
- Comment on Row 91 - agreed to add to criteria 0460 "limit or extend" a subject session duration at the RP.
- Comment on Rows 94-98 about implementation on HOK , - Richard W. asked if it they should be ignored or reviewed? Richard W. said it . He added that is the only reference to FAL3. In absence of comments they are going to remain and will be reviewed later.
SATO’s comments:
Comment 1. "We must be aware of who will be certified (or assessed) by using 63C SAC. Unlike 63A or 63B, an IdP need cooperation with (or enforcement by) its participating federation. Therefore, a pair (IdP, federation) would be a target for assessment, considering the current operations of federations mentioned below".
- Richard said it is a good idea, but not feasible. Richard added that the pointed that that in a Fed, someone will be setting the rules, and there might at least 3 or more participants, otherwise it will be bilateral relationship. Therefore, it's unlikely to manage the assessments of the all the participants together. Service Provider would need to be individually assessed; under FAL2 assessment the assessment will include "show me the fed agreement and how you meet it". He also pointed out that there are no means to assess -?-
-Richard W. also sees a problem because a meaningful federation will
have multiple CSPs (IdPs), so assessing the Federation Authority with only (either) a
single CSP or (alternatively) ALL CSPs seems either pointless or
alternatively very burdensome.
...
- RAs exclusively at the moment, but a similar process could be created. Martin added that we may have multiple assessment sets per kind of entity. Richard remarked that we can desire to have an RP
...
- assessed as KI is not in a position to mandate that unless we own a federation. We cannot impose a requirement to have an RP assessed, only if the Federation Agreement requires it. Richard
...
- added that the criteria say: “Each participant” so it's fully inclusive (assessment of RP, IdP and Fed Authority).
...
- Ken stressed that Federation Authority is responsible for the federation and its operation, and it is also the one that will respond if something goes wrong.
- SATO: “Today, it is common that an IdP belongs to multiple federations.
For example, a research IdP belongs to both InCommon and eduGain, which are operated under different policies and contracts”. - It was Agreed with the statement.
- Ken also commented that Federation Authority must ensure that the assessment was done, but there is no need to perform the assessment.
...
- Fed Authority should ensure the assessment was done and not necessarily performed it.
Comment 2. "Furthermore, in commercial IdP (OP), it is very common that a single IdP collects multiple RPs, and build a federation. Here, the bunch of individual contracts between the IdP and RP would be the "policy" of this this implicit federation”.
- It was commented that if a CSP plays in multiple Federation, do they have to get an assessment for each Federation? How common are the requirements and do we give folks approval when they have met 80% of the requirements? Ken responded that again it comes down to how common are the requirements, and if they got 80% of the requirements, you only need to be assessed for the 20%.
- Richard W. clarified that CSPs are individually assessed and each of them have to show how they meet it. In fact, the criteria say “each participant”.
- Remaining for next week: finish question 2. of SATO
- Richard W. It was agreed to continue with question/comment #2. of Dr. SATO next week.
- Richard concluded that so far, it the group has gone through what a Federation might look like and how it must function/operate. It is , and pointed out that it's an immature area.