[Tf-aai] CLARIN AAI developments

Tue Jul 12 16:05:39 CEST 2016

Dear AAI-Taskforce,

Here are some news and developments related to CLARIN AAI.

* Sirtfi

Refeds is working on an  "Security Incident Response Trust Framework for Federated Identity" (Sirtfi): https://refeds.org/sirtfi

I am not aware of severe security related incidents in CLARIN, but having some procedures in place before it happens seems like a good idea. Besides the upcoming EU data security regulations [1] demand such incident response procedures and organisations can be fined if they don't have them.
I think there should be a fire drill type simulation of such a security incident, I have already volunteered to play either victim or perpetrator. It was a bit unclear to me whether Sirtfi plans such exercises.

* Attribute Release handling

I managed to combine Lindat's Aaggreg [2] and eduGAIN's Attribute Checker [3]. I did not manage to document it though, so please let me know if you are interested to implement both. It is quite simple.
I highly recommend implementing both tools, since they complement each other. Aaggreg [2] for the first time shows everyone that IdPs quite often refuse to talk to SPs, in the case of Germany even within the same country! We "knew" this for a long time, but now we can show it. 
The AttributeChecker gives the user a meaningful error page with the easy option to complain and include relevant information. The more SPs take part, the more relevant statistics can be gathered, so please volunteer. I suggest we make a strong statement for implementation of [2] and [3] within CLARIN in our next task force meeting. I would not make this a centre requirement, but I very much believe pushing this a bit makes a lot of sense.

* CLARIN ACA interpretation

Here at the Language Bank we changed the interpretation of the CLARIN ACA license: https://kitwiki.csc.fi/twiki/pub/FinCLARIN/ClarinEULA/CLARIN-EULA-ACA-2014-10.rtf

Since ACA resources can be used for "educational, teaching or research purposes" this henceforth includes students. In SAML2 terms: eduPersionAffiliation=member. The reasoning is that similar resources from publishing houses are usually IP-bound to universities so members of a university can use them. In the same way the publishing houses accept some overgeneralisation (ie the computer of the janitor also has access) we also accept some overgeneralisation (the janitor is likely also a "member"). For AAI in general this means that your academic login is upgraded, so I would hope more folks try to login once this is properly communicated. This combined with the already mentioned Attribute Release handling hopefully puts a bit more pressure on the IdP-side to reconsider their roles and responsibilities in AAI. Since our co-coordinator Krister Lindén, who heads the CLARIN Legal Committee has approved this, I hope this interpretation spreads within CLARIN.

I wish you all a nice summer!

Martin

[1] http://www.consilium.europa.eu/en/policies/data-protection-reform/data-protection-regulation/
[2] https://lindat.mff.cuni.cz/services/aaggreg/
[3] https://wiki.edugain.org/How_to_configure_Shibboleth_SP_attribute_checker

P.S.: I'll be on holiday 16.7-10.8. Let's have a VC in August/September.

-- 
Martin Matthiesen
CSC - Tieteen tietotekniikan keskus
CSC - IT Center for Science
PL 405, 02101 Espoo, Finland
+358 9 457 2376, martin.matthiesen at csc.fi
Public key : https://pgp.mit.edu/pks/lookup?op=get&search=0x74B12876FD890704
Fingerprint: AA25 6F56 5C9A 8B42 009F  BA70 74B1 2876 FD89 0704