Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

63C SAC 2020-03-18

 

Attendees

 

Ken

SATO

James Jung

RW Richard

MARK Hapner

Nathan

Martin


  • Richard Wilsher mentioned that criteria that apply to Federation Authority was completed, now it is necessary to go back to IdPs and RPs.
  • Additional requirements to Federation Agreement: Testing and the frequency of re-assessment to ensure ongoing conformance requirements are being added, even if they are not part of the source text. Ken said that the Board would in essence, look for a recommendation from IAWG and unless there is a very significant business reason not to go with that recommendation, they would go with that recommendation, they are not the technical experts. Richard W. added that this is the reason why CSPs and RPs are being encouraged to work in the sub-group
  • Fundamental requirement: Assessment no longer than one year.
  • It was commented that it is assumed that if the assessment criteria changes (if Kantara makes the changes), it should probably trigger re-assessment as well. Ken answered that it should be checked in the annual conformance review.
  • Row 50. Richard said that if it is needed to recommend a maximum period between these periodic re-assessments, that would be three years. Every year Kantara has to say, are you meeting up your three-year obligation?
  • Row 50. #0330 – “where the vetting is performed”.
  • Richard said there are three questions: Should this requirement be made such that they have to be vetted prior to participation? Is it periodically? To what extent does one allow hundred percent conformant to be found subject to correctness action for an acceptable time period?
  • Ken suggested to add a note answering these questions: Should we make this requirement prior participation? Regarding the assessment, 1 off or do we do it periodically, e.g. yearly? to what extent we define sufficiency of conformance? Richard W. added a note stating those aspects.
  • Nathan commented that the Self-assessment part (column R) was bothering him in extreme. Does the source text allow self-assessment? Richard said not, it actually excludes the possibility of self-assessment by Federation participants. When you consider this text here, a federation could vet each participant. It does not allow self-assessment; it would be inconsistent with Kantara.
  • Ken´s suggestion (My vote: “As Necessary” for Testing, and “SHALL be done” for frequency of re-assessment”), raised no objection.
  • Richard W. proposed to go through Martin’s comments and to address SATO comments.
  • Richard W. said that everything in green is what has been already resolved.
  • 292 was agreed.
  • Martin comments:

-Row 91 extend it. Add to criteria 0460 limit or extend.

-Rows 94-98 HOK, Richard W. asked if it should be ignored reviewed? Richard W. said it is the only reference to FAL3.

-In absence of comments they are going to remain and will be reviewed later.


  • SATO’s comments:


  1. We must be aware of who will be certified (or assessed) by using 63C SAC. Unlike 63A or 63B, an IdP need cooperation with (or enforcement by) its participating federation. Therefore, a pair (IdP, federation) would be a target for assessment, considering the current operations of federations mentioned below.

-Richard W. said it is a good idea, but not feasible.

-Richard W. added that the Service Provider would need to be individually assessed. He also pointed out that there are no means to assess -?- (min 39:20)  exclusively at the moment, a similar process could be created.

-Richard W. also sees a problem because a meaningful federation will
have multiple CSPs (IdPs), so assessing the Federation Authority with only (either) a
single CSP or (alternatively) ALL CSPs seems either pointless or
alternatively very burdensome.

-Richard W. remarked “We desire to have an RP assessed” as KI is not in a position to mandate that unless we own a federation. Richard W. said that the criteria say: “Each participant”. 

-Ken stressed that Federation Authority is responsible for the federation and its operation, and it is also the one that will respond if something goes wrong.

  • SATO: “Today, it is common that an IdP belongs to multiple federations.
    For example, a research IdP belongs to both InCommon and eduGain, which are operated under different policies and contracts”.
  • It was Agreed with the statement.
  • Ken also commented that Federation Authority must ensure that the assessment was done, but there is no need to perform the assessment.


“Furthermore, in commercial IdP (OP), it is very common that a single IdP collects multiple RPs, and build a federation. Here, the bunch of individual contracts between the IdP and RP would be the "policy" of  this implicit federation”.

 

  • It was commented that if a CSP plays in multiple Federation, do they have to get an assessment for each Federation? How common are the requirements and do we give folks approval when they have met 80% of the requirements? Ken responded that again it comes down to how common are the requirements, and if they got 80% of the requirements, you only need to be assessed for the 20%.
  • Richard W. clarified that CSPs are individually assessed and each of them have to show how they meet it. In fact, the criteria say “each participant”.
  • Remaining for next week: finish question 2. of SATO
  • Richard W. concluded that so far, it has gone through what a Federation might look like and how it must function/operate. It is an immature area.
  • No labels