Overview

The REFEDS Steering Committee has approved the launch of a consultation on the adoption of the Academia Entity Category by REFEDS.   The consultation opened on 12th August 2015 and closed on 23rd September 2015.  Participants are invited to review the full text and make change proposals in the table below or by email to the REFEDS Coordinators and to express their support / dissension for the category.  It is recommended that you also read the prepared notes on the proposal.   This proposal was NOT ACCEPTED.  A revised consultation has been launched. 

Please note the full text of the original proposed category is available at: https://github.com/leifj/academia-category/blob/master/academia-entity-category.md.

The notes are available at: Academic-Academia.

Statements of Support / Dissension


As this category has been contentious in the community, we are asking for organisations to express their support or dissension below to allow us to gauge the appropriateness of REFEDS adopting this approach. 

NameOrganisationReason
Jim BasneyNCSA / XSEDE (InCommon)Support: This is needed by CILogon to support SeedMe access for academic but not commercial use.
Niels van DijkGEANT Project; InAcademia ServiceSupport: This is needed by the InAcadmia Service to support access for academic users, but not others (K12, Homeless IdPs, etc)
Romain WartelCERN / WLCGSupport: This would help supporting the needs of the High Energy Physics community
Jozef MisutkaLINDAT/CLARINSupport: This would simplify filtering out IdPs not meeting our AAI requirements.

Change Log

Change Log for the Consultation on the Academia Entity Category.  The Consultation started on 12th August 2015 and closes on 23rd September 2015 (5pm CEST).  Please fill in your proposed changes to Academia Category below.

Number
Current Text
Proposed Text / Query
Proposer
Action
1Definitionhttps://github.com/leifj/academia-category/pull/6On GithubRaised on github + addressed in forked refeds version.
2

a relying party SHOULD NOT assume that an attribute assertion received from an identity provider with the academia entity category represents a Subject (as defined in [TBD]) with any particular affiliation to the organization on behalf of which the identity provider is operated.

Is this meant to imply "an attribute assertion received *that does not contain an ePA/ePSA* from an identity provider..."? If "yes", is the expectation is that the mechanism for membership/publication in a federation will sufficiently address (via POPs or the like) ensuring that asserted ePA/ePSA are adhering to "expected norms"? Or if "no", is the intent of the category to allow interpretation of the values of ePA/ePSA based on membership, but still disavowing any absolute meanings to the affiliations?

Eric GoodmanRaised on github  - #11.Addressed in forked refeds version.
3Annotate those member identity providers that represent academic institutions, in order to distinguish them from identity providers that are not able to claim any affiliation with the international research and education communityThe definition section sets the bar for degree-granting institutions at ISCED level 6. There are a number of level 5 degree-granting institutions in the US ("community colleges") that have faculty that contribute to national and international research projects, and may be funded by agencies such as the NSF. I'm concerned that the cut-off at level 6 may cause IdPs with participants in international research to be hidden from discovery.Nick Roy

It is inevitable that where-ever the bar is set there will be groups that fall outside this. 

Raised on github - #7.

Addressed in new version.

4

2.5 any organization explicitly denoted as an academic institution by a government entity in the jurisdiction where the claim of being an academic institution is made

In the US, accrediting bodies that determine the validity of academic institutions are non-government organizations.Nick RoyRaised on github and fixed proposed.
5

unless it is being operated

  • by or
  • on behalf of and by contract with at least one organisation represented by a legal entity in good standing in the community of other academic institutions and fulfills at least one of the criteria below:

... unless it is being operated

  • by, or
  • on behalf of and by contract with at least one organisation represented by a legal entity in good standing in the community of other academic institutions that fulfills at least one of the criteria below:
Andrew Cormack

Raised on github. Fixed by different change.


6"on behalf of and by contract with at least one organisation represented by a legal entity in good standing in the community of other academic institutions and fulfills at least one of the criteria below:"

This does allow the category to be applied to contracted-out IdPs that provide service to a mix of educational and non-educational organisations (e.g. Microsoft or Google). I suspect it also allows it to be applied to any IdPs that might be operated by universities as a commercial service to other organisations, even if none of those are educational.  Need to work on the wording to ensure that it is only instances run for academic organisations that are in spec.

Andrew CormackThis seems to be covered by the existing text.
7N/AConcern about using to imply conditions of terms of use rather than authorisation (e.g., being academic does not mean I will be restricted to using materials for "academic use only".  Add some text to express this?Mailing List Discussion / Various peopleApplication is out of scope for EC, should be addressed is associated ToR.
8N/AScope the category not to be "are you academic?", but "should you be trusted to assert academically-oriented data about users"?  This is the same as point 12 below or #14 on github.Scott CantorRaised on github.
9N/AIf SPs are happy with "close enough" why is self-assertion of eduPersonAffiliation not close enough as compared with creating a new process?Nick RoyAs anyone is free to assert eP values, SPs are looking for slightly more assurance / due diligence carried out by federation.  A registration criteria section has been proposed to address this.
10N/AAdd text on link between using this category and ePA/ePSAEric GoodmanMerged with Leif's proposal below.
11

By asserting an identity provider to be a member of the academia entity category a registrar claims that the identity provider fulfils the criteria described above in the jurisdiction of the registrar. The intended use for the entity category is twofold:

  • To allow metadata consumers (e.g. a discovery service) to filter on identity providers representing one or more academic institutions
  • To allow relying parties a way to decide how to interpret the values of the eduPersonScopedAffiliation and eduPersonAffiliation attributes.

Specifically a relying party SHOULD NOT assume that an attribute assertion received from an identity provider with the academia entity category represents a Subject (as defined in [SAMLCore]) with any particular affiliation to the organization on behalf of which the identity provider is operated. Conversely, the absense of the academia category does not mean that the identity provider does not in fact represent one or more academic institution.

By asserting an identity provider to be a member of the academia entity category a registrar claims that the identity provider fulfils the criteria described above in the jurisdiction of the registrar. The intended use for the entity category is: -To allow relying parties a way to decide how to interpret the values of the eduPersonScopedAffiliation and eduPersonAffiliation attributes within their application(s)

Specifically a relying party SHOULD NOT assume that an attribute assertion received from an identity provider with the academia entity category represents a Subject (as defined in [SAMLCore]) with any particular affiliation to the organization on behalf of which the identity provider is operated. Conversely, the absence of the academia category does not mean that the identity provider does not in fact represent one or more academic institution. The category MUST NOT be used for the purposes of gross access control (either allowing or disallowing access to any Subject based solely on the presence of an authentication by an Identity Provider that is or is not decorated with the entity category. The category MUST NOT be used for the purposes of filtering Identity Provider entities from discovery or excluding them from interoperability with otherwise broadly-available services.

(Effective proposal is to forbid filtering from discovery)

 Nick RoyNo wide acceptance that this shouldn't be used for discovery filtering.
12Change definition approach

An identity provider annotated with the academia category implies that the registrar has made the determination that the identity provider SHOULD be trusted to assert the following attributes [...]. When making the decision to annotate an identity provider with the academia category a registry SHOULD consider the following criteria: [...]


Add text on link between using this category and ePA/ePSA

Leif JohanssonThis is #14 on github.  Added to the revised refeds version.
13Changes to definition

"by" is unnecessary and could bring in some user organisations that you don't intend. "By" would include an IdP operated by a university as a (pay-for) service to non-educational organisations. "On behalf of" covers in-house IdPs anyway. For IdPs operated by someone else, I'd suggest "by contract or other written agreement", rather than specifying a particular form of that agreement. Indeed it may be that "on behalf of" covers that situation as well, in which case all you need is "on behalf of an organisation represented by a legal entity in good standing ... (etc)"?

Andrew CormackAdded to github as #13.
14Specifically add Research Hospitals

Research Hospitals are organizations present at least in Italy and France. I propose to list them under the current academic organizations. Though, I don't know if it is better to have a "teaching or research hospital" item, or just add them as a new item.

They differ from teaching hospitals in that they do not offer courses on their own, nor they can award academic degrees, though they provide laboratories and internships for researchers, and they can host courses with special agreements with Universities (but that it is not always the case).

A broad definition that cover both the Italian and the French case is:
Health and research centers where doctors and researchers conduct highly specialized health related researches and patients can get special treatments.

Currently the term "researchHospital" is employed for schacHomeOrganizationType in both the Italian and the French Identity Federations:
urn:schac:homeOrganizationType:int:researchHospital

Davide Vaghetti (Consortium GARR)raised on github #19.  Addressed in new version.

Other Comments / Observations