Attending
 

Members

  • Chris Phillips, CANARIE  (chair)
  • Warren Anderson, University of Wisconsin-Milwaukee /LIGO   
  • Tom Barton, U Chicago   
  • Rob Carter, Duke   
  • Nathan Dors, U Washington  
  • Jill Gemmill, Clemson   
  • Ann Harding, SWITCH/GEANT  
  • Karen Herrington, Virginia Tech     
  • Todd Higgins, Franklin & Marshall College   
  • Christos Kanellopoulos, GEANT   
  • Les LaCroix, Carleton College     


Internet2

  • Kevin Morooney   
  • Ann West   
  • Steve Zoppi    
  • Emily Eisbruch   

 Regrets: Tom Jordan, U Wisc - Madison 


DISCUSSION
 

Trust and Identity Roadmap - influencing the future

  • A dialogue on the recent SAML security issue  and the impact.  
  • XML Tooling that Shib and others reply on  
  • Is there an opportunity to improve things in the trust and identity space?

  • What is the impact or ongoing impact to the T&I space (TIER?, FedOps?)
  • LIGO: not much a hit from this security issue, updated packages with patches, LIGO has mostly internal encrypted traffic

  • Campus perspective: hard to verify every SP covered by campus has been updated. Long tail. Impact is felt by the SP as well.  Question: do we need a better mechanism to monitor SP operations? 

  • What kind of tools are available to see what version of software an SP is running? What are processes for enforcing trust within the federation?

  • Tools -- depends on the threat and risk and what level of Penetration testing is done.  

  • There was an issue that the repositories providing patches were down for a period. 

  • IDP operator perspective: I must trust my SPs will perform the needed updates 

  • Baseline Expectations http://doi.org/10.26869/TI.34.2 talks about good security practices… this specific issue  could be part of the community consensus process. 

  • Are all SPs alike from perspective of the federation? Services versus academic collaborations? 

  • SIRTFI participation can be a good indicator of trustworthiness. But SIRTFI is not complete. It requires people and infrastructure and mindset. https://refeds.org/sirtfi
  • At some campuses, a lot of SPs are not members of InCommon

  •  Is CACTI the right place for this conversation within Internet2?

  •  It was noted that the InCommon federation is developing a stance on monitoring and how to address security incidents.
  • Shannon Roddy,   Security Lead for Trust and Identity, has reached out to InCommon participants to mitigate risk around security incidents such as ROBOT.  

  •  ChrisP: need to operationalize security within federations

  •  tool   - https://github.com/SAMLRaider/SAMLRaider
  • Where could we advance security in T&I?

  • Noted that TIER Security and Audit Working Group is in the CACTI workplan   
  • For next CACTI call, discuss what might be the outputs of a Security Working Group?  


OIDC & interests in trust and identity 

  • Roland has reached out to ChrisP around leaving a solid foundation at The OpenID Foundation. http://openid.net/foundation/
  • The OpenID Foundation is the home for other industry “profiles” of OAuth and OIDC, including the HEART (healthcare) profile, International Government Assurance (iGov) profile, and Financial API. 

  •  Recall that OAuth and OIDC are complex frameworks

  • Recall that a “profile” or “profiling” is “the process of adding to or modifying standards to tailor them for a specific use through changes such as additional requirements, making optional features mandatory, or specifying implementation details left unspecified in the original standard”

  • Currently, the OIDC/OAuth working group is addressing this question as part of its “guide standardization” objective; see home page; the WG’s roadmap shows reviewing existing standards and profiles between Jan-May. Is iGov profile good enough, or do we need to rethink certain areas for our federation?

  • Nathan: collecting learning materials around OIDC and existing profiles is also important. Some expertise gap.

  • Could fit into the “identerati” part of CACTI charter/roadmap 

  •  Reach out in our professional networks to find individuals who can do the kind of work Roland has done, such as create profiles and libraries.

  • We may need an eduprofile to differentiate our sector from iGov


Nathan: additional expertise would be helpful on the OIDC-OAuth Deployment Working Group .
Would creating a profile for R&E under the OpenID Foundation reap a stronger result than doing it within our usual space?


Status  on monthly reports from working groups


  • First draft to be sent to CACTI on Friday morning. We’re in the process of getting reports back from the WG chairs.



 2108 Global Summit: CACTI is tentatively scheduled for Tuesday, May 8, 2018 at 7:30AM-8:30AM 

 


Next CACTI Call:  Tuesday, March 20, at 11am ET