Notes and Action Items, AAC Call of 27-Sept-2017

Attending

• Brett Bieber, University of Nebraska (chair)
• Tom Barton, U. Chicago
• Ted Hanss, University of Michigan
• Chris Whalen, NIH / NIAID
• Ann West, Internet2
• Emily Eisbruch, Internet2

Action Items:

[AI] (Brett) draft an updated AAC charter

[AI] (Tom) ask new campus interested in bronze certification the bronze survey questions

AI] (Ann)   prepare quick  list  of InCommon participants in various buckets based on the InCommon fee structure. [Done. Linked into the AAC wiki homepage.] Sept 20 2017 list of InCommon Participants

[AI] (Ann) consult with Internet2 Legal Dept. about the InCommon FOPP and InCommon Participation Agreement changes suggested for Baseline Expectations (Ann will work on this after 2017 TechEx)

[AI] (Brett) clarify who can contact InCommon support about a baseline expectations concern. (Done, participant or member from organization)

[AI] (Brett) move some of the details (regarding contacts/metadata and process to notify InCommon Community)  to an operational appendix in the Draft Processes to Implement and Maintain Baseline Expectations  (Brett started this)

[AI] (Brett) make additional updates to the Diagram, Community Dispute Resolution Process
[AI] (Tom) develop guiding principles for dispute resolution process
[AI] (Brett) develop thought piece for InCommon Steering regarding approach around supporting available profiles

DISCUSSION

Planning for Community Assurance Call of Wed. Oct. 4, 2017

•  Title: Refocusing Community Guidance of InCommon's Trust Programs: Baseline and Bronze
  
•  Baseline Expectations and AAC responsibilities
  Membership changes needed in the AAC
  Survey results of InCommon Bronze members
  Adjustments to AAC charter and recruitment of new members
  
•  Brett send reminder email on Oct. 2
  
• Promotion for the Oct 4, 2017 Assurance call:
• https://spaces.at.internet2.edu/x/LgH9Bg
  

• Dean needs slides for the Assurance Call  Tuesday, Oct. 3 at noon ET
  
• Brett will share the Assurance call  slides with the AAC in advance
  
• TomB: we want to promote idea of AAC as a community forum and  the idea that the AAC represents the community. This can help pave the way to recruiting new AAC members. The AAC will have an important facilitation role for the whole community, especially as we start to implement Baseline Expectations.  
  
• Q: What has been the past process for soliciting AAC members?  A: The AAC  does outreach to the community to solicit applications.  The AAC charter specifies categories of members (SP representative, IdP representative,  auditor, InCommon staff. etc.) Then the AAC creates a roster of proposed new members and submits this list to InCommon Steering. 
  
• It was noted that there is an interesting model with eduGain voting.  Perhaps the community should be more involved in selecting AAC members, with the advent of baseline expectations. 
  
• It is reasonable to hope that there may be increased  community interest in serving on the AAC with Baseline Expectations becoming the focus. 
  
• Should we consider a rebranding of the AAC  and perhaps  change the title of the AAC? Perhaps the name should emphasize elevating the trust level and value of the InCommon Federation. 
  

Updating the AAC Charter and Recruiting New AAC Members

• Link to AAC charter
  
• Brett’s charter copy with highlighted areas
  
• Areas where we need to update the AAC charter (Brett)
  
• Description: Oversight body of InCommon Assurance program
  
• (may need to keep this part but need to expand our purpose)
  
• Membership 
  
• Representation from the community
  
• Technical expertise / technical experts
  
• Should we have a security expert on the AAC? Security is an important component. We may or may not need one designated person for this however.
  
• Duties
  
• We may want to add additional items to cover Baseline Expectations, though don’t want to become too detailed
  
• Consolidate the Assurance Profile items into a single bullet
  
• 
  
• Criteria for success: Should this be in the charter going forward?  See section 3 in current charter.
  
• Membership Expectations: stress that maintaining confidentiality can be important as sensitive matters may come before the AAC, for example in the area of dispute resolution.
  
• Voting Requirements section - mention the possible need to recommend that an entity should be removed from metadata?  Specify a threshold needed?  This is related to how many members will be on the AAC
  
• 
  
• Timeline for updating the charter and getting Steering approval
  
• Preliminary timelined stated that  AAC would finish work on revised charter by end of Nov and InCommon Steering would ideally accept charter by end of Dec
  
• Ann mentioned at the Steering Exec meeting on Monday Sept. 25, 2017 that the AAC will be revising its charter.  Steering would like an update on the Oct 9 Steering call with a Steering vote  on Nov. 6.
  
• Brett agrees with this timeline
  
• Should the updated AAC charter go through community  consultation?
  
• The AAC will discuss this on next call
  
• [AI] (Brett) will draft updated AAC charter
  

Bronze survey and recommendations

https://docs.google.com/document/d/1XWVYR30oG_CWV98iNUbyWNyzCHyp4xma4VPD9o9DAZo/edit#

Tom Barton reached out to do a survey of the  5 bronze certified schools

• Received written response from 2
  
• Two others spoke with Tom on phone
  

So Tom received feedback from 4 out of 5 of the bronze campuses

Summary of the feedback:

• Main benefit: Bronze is Useful to define best practice IAM program on campus 
  
• Also the recognition of being bronze was useful in some cases
  
• They all acknowledged that there is no LOA needed online and may not be anytime soon
  
• They were not familiar w Kantara's assurance program
  
• They agree that Baseline and SIRTFI are useful programs 
  
•  Many are engaged with NIST SP 800-171 Federal Information Security Modernization Act (FISMA)
  
• It would be helpful if there was outside guidance on the IAM aspects of NIST SP 800-171
  
• Identity proofing guidance would be useful
  

Baseline Expectations Communication Planning

Baseline Expectations 

• Diagram, Community Dispute Resolution Process
  
• Draft Processes to Implement and Maintain Baseline Expectations
  
• Baseline Expectations Project Timeline
  
• Strawman Schedule for implementing Baseline Expectations
  
• InCommon FOPP with suggested edits
  
• Consultation for Baseline Expectations Implementation and Maintenance Plan - 
  
•    
  

• Blog posts or webinars on various aspects of Baseline, need volunteers to work on these
  
• Contact information (done, Tom)
  
• Metadata UI, e.g. Logo
  
• Privacy URL
  
• Community Consensus areas, e.g. Security
  
• SP specific items

Next AAC Call:  Wed. October 11 at 4pm ET