InCommon Updates Policy Regarding Vetting of Domains in Metadata
Since the beginning of InCommon as a trust federation, InCommon staff have carefully scrutinized the domains in metadata submitted to us by participants before approving the publication of that metadata. This manual process involves looking up the DNS information in the WHOIS database and matching it to the legal name of the organization. In cases where the name did not match, we often discovered that an organization was attempting to submit metadata on behalf of a parent company. Or that a school was attempting to submit SP metadata for a service it contracted with, but which was not willing to join InCommon.
In the face of cloud services and software-as-a-service, this process has become more and more time consuming and less and less sustainable. In addition, over time DNS registrants have chosen to anonymize their WHOIS information and research collaborations have shown the need to submit metadata which may be rooted in many different domains controlled by many different organizations.
In these circumstances, and some of the procedures we’ve developed as work-arounds, we started to question our previous assumptions about what WHOIS information actually does for our trust model.
The answer is that it does much less now than when InCommon started over a decade ago. It is for this reason that we opened a consultation with the community on a new policy which would allow InCommon participants to demonstrate proof of control over a domain, rather than demonstrating ownership. The consultation was open for the month of October, and we received a handful of comments which we incorporated into our revised policy.
We will continue to use WHOIS information as the default, but the new policy will allow us to accommodate those who wish to prove control of a domain via Domain Control Validation (DCV). Some non-limiting examples are included in the policy and are subject to change based on InCommon’s ability to develop procedures to handle them.
In the coming weeks, InCommon staff will announce details about how to take advantage of this new policy. The new process will be manual at first, but in time will become more automated.
In addition, automation of metadata approval for a significant fraction of submissions would further open doors to things such as metadata management APIs. While not on our immediate roadmap, these possibilities are intriguing, and I believe they are strategically important to the scalable future growth of InCommon.