Child pages
  • 2021-05-11 R&S 2.0 Notes
Skip to end of metadata
Go to start of metadata

Attendees:

Working Draft

Agenda

  1. Recap of consensus so far - note that all changes will need to be validated via the consultation process
    1. The FAQ will be revised to offer clarity on the term "affiliation" (see Research and Scholarship FAQ) and editorial changes made to the spec to make it more clear (see new draft spec for updated structure)
    2. eduPersonScopedAffiliation will become a required value
    3. R&S will require privacy statements
    4. subject-id should be listed as the new identifier
    5. R&S 1.3 and R&S 2.0 can co-exist; no migration detail will be included in the spec itself.
    6. ePPN and targeted ID to both be removed from R&S 2.0
    7. Information on OIDC requirements will be moved to R&S 2.1 (after the OIDF OIDCre working group has formal documentation in this space)
    8. eduPersonAssurance will be required, RAF recommended
    9. We'll resolve the need for information on the origin organization by adding guidance for the use for eduPersonScopedAffiliation
    10. DisplayName and Given/SN are required
  2. Review of final changes to the draft spec

  3. Definition Statement for R&S (see table below)

Notes

  1. Recap of consensus so far - note that all changes will need to be validated via the consultation process
    1. The FAQ will be revised to offer clarity on the term "affiliation" (see Research and Scholarship FAQ) and editorial changes made to the spec to make it more clear (see new draft spec for updated structure)
    2. eduPersonScopedAffiliation will become a required value
    3. R&S will require privacy statements
    4. subject-id should be listed as the new identifier
    5. R&S 1.3 and R&S 2.0 can co-exist; no migration detail will be included in the spec itself.
    6. ePPN and targeted ID to both be removed from R&S 2.0
    7. Information on OIDC requirements will be moved to R&S 2.1 (after the OIDF OIDCre working group has formal documentation in this space)
    8. eduPersonAssurance will be required, RAF recommended
    9. We'll resolve the need for information on the origin organization by adding guidance for the use for eduPersonScopedAffiliation
    10. DisplayName and Given/SN are required
  2. Review of final changes to the draft spec

    1. Several items closed. Still to discuss: definition of research & Scholarship and whether subject-id can be used to identify the origin organization. This may be an issue for some proxy use cases. Discussion on subject-id being moved to email
  3. Definition Statement for R&S.
    1. Will discuss on next call

Definition Statement for R&S

Problem statement: the current definition of who can be tagged with R&S ("Candidates for the Research and Scholarship (R&S) Category are Service Providers that are operated for the purpose of supporting research and scholarship interaction, collaboration or management, at least in part.") is being interpreted differently by different groups.  Requirements that are not specifically in the specification are being applied by federations, creating an uneven use of the specification.

Areas questionedPotential issues
Is R&S focused on the requirements of the service or the organisational typeIssues with not having a definition of an R&S / R&E organisation and the fact that most organisations have business arms to R&E structure
Should "commercial" services be allowedNo way to  distinguish the nuance in commercial vs paid for
Should services that are contracted be allowedContracts are paid for things like collaborative wikis, having a contract does nothing to help the IdP administrator formulate an attribute release policy
Should "management" be dropped from the definition statement
Is this about translation of real world trust (need to collaborate with other humans) into the spec
Should services that are "operated for" IdPs be allowed (e.g. cloud infrastructure - geant.altassian.com vs wiki.geant.org)Who is registering the entity, which challenges are there with registering cloud entities, how do you determine the difference between a private  / community based approach vs just having an account in a commercial environment
Problem of only calling out e-journals in the existing specBetter phrased as something like "Service Provider MUST be able to prove that it has a legitimate need for the personal data in the attribute bundle." (positive rather than negative entry requirement).