Hi Derek,
On 2017-10-15 18:52, Derek Simmel wrote:
I wish we could nix the term 'OIDC SP' as I feel that the Service Provider term (however accurate) is rather overloaded... is this what you are calling an 'OP' or is that something different?
Quite true, my bad. Agree we should use the terminology consistently, so I propose we stick to RP (the OIDC "SP" term) and the OIDC Provider ('OP') terminology. I've updated the Wiki to reflect that. Not I hope I'm not horribly mistaken here ;)
It would be helpful to me if we could develop a small set of diagrams/illustrations to help keep definitions clear, and to help us communicate to (me and) others what all the parts and gaps are that we hope to address.
If we indeed align fully with the OIDC terminology, the standard graphs should work as well for basic interactions. For the federation bit, we will need some graphs :)
Cheers, DavidG.
- Derek
On Oct 15, 2017, at 12:26 PM, David Groep davidg@nikhef.nl wrote:
Hi all,
Since apparently this group is attracting a lot of interest in the wider world, I think it's good to actually write down our objectives and scope, if only to clarify that we are *not* intending to set up an alternative OIDC Fed next to eduGAIN or so :) The discussion at the All Hands meeting was clearer on that issue, but it's not written down anywhere. And that starts creating confusion ...
Should we have a stab now at the scoping statement to identify objectives? Comments welcome, please!
" The IGTF OIDC Fed effort focuses (primarily) on the establishment of trust between OIDC SPs in the Research and e-Infrastructures, where a common trust basis exists between them and between them and any of their 'upstream' or internal SPs, and where a common trust anchor or set of trust anchors would help alleviate the need to establish bi-lateral trust between all OIDC SPs and the collection of Infrastructure SP-IdP proxies (acting as OPs), and between SPs and (bridging) OPs of different Infrastructures when they inter-operate. In this respect, it is complementary to other OIDC Fed efforts in the general R&E space (in particular, we are not intending to mass-onboard OPs).
The trust basis for the federation can be organised around the Snctfi framework, using common baselines where applicable (e.g. those developed as part of the Policy Development Kits in AARC and the CTSC). Incidental OPs that connect to the Federation can be assessed based on the IGTF AuthN Assurance Profiles. Trust establishment leverages the membership and assessment guidelines common to the IGTF. "
I've added it tentatively to http://wiki.eugridpma.org/Main/OIDCFed, so the IGTF members can edit it directly, but let's discuss on the list :)
Similarly, we should start actively reaching out to some of the implementors of the Infrastructure (proxy) operators (Nicolas, Mikael, Jens, Hannah, Brian, &c) to get the needs and requirements clear. I can think of several things here - there are ikely more: - is a technical bridge (single signing key) better? Or a distribution and a 'policy bridge' like we have today? - scoping and how to deal with proxies changing (or not changing!) scope and how we can facilitate such trust? - technical details? - time line?
Let's make this a slightly livelier list :)
Cheers, DavidG.
-- David Groep
** Nikhef, Dutch National Institute for Subatomic Physics, PDP/ACR group ** ** Room: H1.50 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL ** ** New PGP key: 0x308E076A FP: 2facebea12803ba145685a21d80134c2308e076a **
--- Derek Simmel Pittsburgh Supercomputing Center dsimmel@psc.edu +1 (412) 268-1035