Unfortunately just metaphorical BEER at the moment I’m afraid in the form of the BEER project. BEER (I’m sure we will have a more grownup name when it is operational!) is a bit of a confusing concept if you don’t spend all your time thinking about access management metadata exchange like us enthusiasts (read weirdos) so I thought I would try and tease the concept out a bit more here.
I think I would start by saying that it is still very difficult to gauge the exact level of trust and assurance you need in any set of metadata exchanged for access management purposes (as opposed to the level of trust and assurance in the credentials provided). At a very basic level, you just need to be fairly sure that the metadata was provided by the person who it appears to be coming from. This in turn scales upwards to the sort of trust provided by the ‘vetting’ undertaken by federations right up to the more directive policies of interfederations like eduGain. BEER pushes at the other end of the spectrum, by trying to strip the trust level down to a minimum. I think it is important that we are exploring both ends of the scale.
The problem with creating a very robust trust framework is it cost money! Any type of vetting of end-entities inevitably creates the type of process that requires human interaction to check and verify the metadata and its assertions at a variety of levels. This in turn creates a burden for the entities registering metadata who have to meet the requirements of the metadata registrar – a burden they may not be able to achieve not through being untrustworthy but just from not having the resource to dedicate to the process.
Say I am a teeny-weeny little Service Provider (and note I am just focusing on Service Providers in the BEER context) of Edublob, but I just happen to have customers in academic institutions all around the world. I really want to offer federated access to my users, but I don’t have the time or resources or ability to manage the legal costs of signing contractual agreements with lots of academic federations. Instead, I chose to register my metadata with BEER and tell my customers to consume it, or get their federation to consume BEER.
The consumer has a certain amount of faith in the metadata as BEER does some checking and has also had a bilateral exchange (all be it minimal by email) with Edublob telling them that their metadata is in BEER. If it appears in a metadata aggregation and you don’t know anything about Edublob…well don’t attempt to connect to it, and reject all authentication requests from said service!
Yes this is very basic, we but we need to test the boundaries of what basic can achieve via metadata exchange for access management. There are other challenges ahead for BEER. It may be that the very basic level of testing promised – such as domain name checks – may create a service that cannot be maintained. It may be that the trust level is perceived as too low by federations and other consumers of metadata. It is, however, a very important route to try. I can see it being very unpopular with strict security folks, and with those who prefer the notion of monolithic federations, but I’m fully bought up to the idea that fully distributed, self asserted metadata may be the norm in the future (really cloud-y stuff!) and this is a step towards that.
So keep an eye on BEER and have a think about the implications for you if you should consume it.