Security/identity · 2008-07-13

Federation Soup: mmm, mmm good

Internet2 hosted an interesting gathering in early June, called Federation Soup, which I had the privilege of attending. These folks have had to face some of the hardest federation problems out there because of the higher education community’s unique mix of needs, and they take a relentlessly practical approach. Ken Klingenstein said it was okay to blog what I heard at the event, but it took me a little while! Here are some of the tidbits I collected.

Interfederation looks pretty different in Internet2-land and in places like the U.S. government. In the latter, the emphasis is on PKI bridges, while the education sector is looking for more loosely coupled solutions.

It’s not just about higher education; a fair number of people are working on what are called K-20 initiatives that span education at all levels and of all types. This brings in all the hard problems of gathering consent from the custodians of minor children.

The InCommon federation is pretty attractive. Some parties that come from outside traditional education, such as news organizations that want to distribute content in a controlled way and U.S. government agencies that don’t want to use a peered federation model, are joining this federation or at least considering it. At the same time, InCommon is not the only answer; smaller educational system federations will continue to coexist with it. And some federations need independent branding. Finally, some universities simply don’t feel the need for federation at this point.

A lot of the discussion was around how to increase federation adoption. A common theme was to find the killer app or anchor tenant that makes the whole exercise worthwhile all by itself. Some people felt that what sells is not “trust”, but collaboration services. Buyer’s clubs (such as subscriptions to journals) are also an attraction.

At a BOF on privacy, tricky jurisdiction problems were discussed. What if a U.S. student is studying temporarily in Paris? Do you go by their geolocation, or by the IdP’s jurisdiction, or the SP’s? Do you purge logs for privacy according to EU requirements, or retain them for homeland security according to U.S. requirements?

Finally, for the heck of it, some juicy quotes:

  • Scott Cantor: “As far as the software is concerned, there’s no such thing as a federation.”
  • Ken K. on identity proofing and levels of assurance: “It’s ratholes all the way down.”
  • Someone: “Where the duct tape is holding, people are very reluctant to let go.”