Page to be archived |
|
SCHAC, the Schema for Academia, has been running for several years as part of TF-EMC2.
In the last year, however, it became obvious that a more sustainable plan to maintain and run SCHAC is needed. REFEDS could offer not only a better structured home for SCHAC, but also funding could be allocated to secure a SCHAC caretaker.
At the end of 2012, the REFEDS SC approved the proposal to host SCHAC.
Due to the lack of proper maintainance of SCHAC in the last 15 months, there are a number of issues that should be fixed. Namely:
This item has been completed as of January 2015 as part of the SCHAC Harmonisation Project. |
(And/or move the content under REFEDS)
There are currently two registries running in parallel:
Old Registry: SCHAC Registry Information. A static web page managed by TERENA (A reference to the new registry has been added, however a decision should be taken on which registry to use)
New Registry https://urnreg.terena.org/. The URL is referenced by the SCHAC RFC A dynamic web page where anyone can register values. The new registry offers an API (Is this used by anyone? What could it be used for?) and a dynamic web interface. The web interface currently has the drawback that it does not allow to create direct links to a particular SCHAC attribute (and also breaks navigation with the web browsers back-button). This would however be very useful. Most likely the interface could be expanded if self-registration of values is needed at all.
This item has been completed as of January 2015 as part of the SCHAC Harmonisation Project. |
At the end of 2011, the new RFC-defined SCHAC namespace urn:schac was approved. This means that the old namespace urn:mace:terena.org:schac would be deprecated. The sunset period as agreed in the TF-EMC2 meeting in Bologna (Oct 2011) would end in Jan 2013. Cf. https://www.terena.org/mail-archives/schac/msg00549.html
There should be a new revision of the SCHAC documents currently located at
with a revision listing the new namespace and a URL for the registry.
Better yet, all existing documents (the Specification PDF, the LDAP Schema and all existing registries should be replaced with links to a single authoritative specification containing all the necessary information. (e.g. in the newly federated TERENA wiki, which provides access control for releases of the spec).
The URN change should affect only attribute values (since Schac attribute values often redundantly also contain the full attribute name as part of the value, a practice which should also be reconsidered) as in SAML Schac attribute names are commonly expressed as OID-based URNs on the wire (e.g. urn:oid:1.3.6.1.4.1.25178.1.2.10, following the example of the MACE-Dir SAML Attribute Profiles). However in the old registry the attribute-definitions still use name-based URNs.
Work still pending |
As pointed out on the SCHAC mailing list (Reference?), the SCHAC spec and LDAP schema both provide some example values for SCHAC attributes but do not provide any rules on how to assign values (e.g. applicability/eligibility for schacHomeOrganizationTypes).
This is particular relevant for the international values (:int) of schacHomeOrganizationType. Different Identity Federations already use/would like to use agreed upon international values. The results of short survey of what homeOrganisationType values are used and where is available in the REFEDS wiki.
For schacHomeOrganizationType one finds different values in the old registry, the new registry, the PDF specification and the LDAP schema file. This is very confusing and should be harmonized and kept consistent. The easiest way to achive this is to have a single version (i.e., document) of the spec, also containing relevant bits from the LDAP-schema.
This item has been completed as of January 2015 as part of the SCHAC Harmonisation Project. |
Governance should be defined for adding to or changing the spec, e.g. discussuing and finalizing amendments on the SCHAC mailing list and proposing them to the REFEDS SC for approval.
The existence of the "experimental" SCHAC branch should be reconsidered. Relying Parties should be spared the configuration work (changing the OID or formal attribute name for a given attribuet) only because it was decided that it turned out to be useful and hence has been copied over to the "production" branch (thereby changing the attribute's formal name, essentiallyl creating a completely different, new attribute).
Work still pending |
According to the RFC defining the new urn:schac namespace:
TERENA will create an initial series of immediately subordinate naming authorities, and will define a process for adding to that list of authorities. [...] Each country with a representative in SCHAC will be invited to designate a naming authority. Country-specific namespaces based on the country Internet Top-Level Domain (TLD) will then be assigned to the designated authority. The subordinated namespaces int and eu will remain under TERENA authority, controlled by the SCHAC activity members, for entities of global, international, or European interest.
This item has been completed with the 1.5 release of SCHAC. |
One could argue that any one of the following attribute names correctly represents the SCHAC attribute "HomeOrganizationType" when used inside a SAML attribute assertion:
Clearly a SAML Service Provider shouldn't need to handle (i.e., manually configure) all these variants only to be able to process a single attribute.