CACTI Call Nov. 10, 2020
- Tom Jordan, University of Wisc - Madison (chair)
- Jill Gemmill, Clemson (vice chair)
- Marina Adomeit, SUNET
- Rob Carter, Duke
- Margaret Cullen, Painless Security
- Matthew Economou, InCommon TAC Representative to CACTI
- Michael Grady, Unicon
- Karen Herrington, Virginia Tech
- Christos Kanellopoulos, GEANT
- Les LaCroix, Carleton College
- Chris Phillips, CANARIE
- Bill Thompson, Lafayette College
- Kevin Morooney
- Ann West
- Steve Zoppi
- Nic Roy
- Jessica Fink
- Emily Eisbruch
- Mike Zawacki
- Nathan Dors, U Washington
Action item review:
- AI TomJ reach out to Albert, Janemarie and KeithW around signalling MFA
- Jessica work to encourage a BOF session on the recruiting / hiring process for CAMP or ACAMP
Update from EDUCAUSE Security Professionals conference 2021 planning committee (Jill)
- Theme is transformation
- May 4-6, 2021 online, Call for Proposals will come out in Dec. or Jan.
- Potential messages we may want to promote:
- importance of research in these times
- support of IDM in support of research
Reminder of Virtual CAMP/ACAMP Nov. 16-20, 2020
CACTI nominees for 2021 (Tom)
- Jessica will create ballot in Google forms
- Jessica will email the ballot link to elected CACTI members for vote before next CACTI meeting
- voting results to be discussed at next CACTI call
- Results of the CACTI voting go to Kevin for approval
- Hope to invite new CACTI members for the final CACTI call of 2020.
- In December CACTI will vote on a Chair and Vice Chair
- TomJ and Jill are both rolling off CACTI but will plan to touch base with new chair and vice chair and be available for any support needed
- Jill would like to maintain communication with CACTI in 2021 around the EDUCAUSE Security Professionals conference planning
Federation support for commercial cloud infrastructure (continued from CACTI discussion of Oct 13, 2020)
- How might CACTI approach exploring federation components or services that would aid member institutions in using commercial cloud infrastructure for federated collaboration.
- How to get the community ready for modern and passwordless auth?
- Key factors include
- Identity proofing
- IdP support for encryption and handling of encrypted responses
- Getting strong authentication in place
- The REFEDs assurance framework (REFEDS AF) provides important guidance
- It is better scoped than the old InCommon Bronze and Silver assurance framework
- NIH is heading for level 2 , (IAL2) assurance
- Rally around REFEDS assurance framework (REFEDS AF) and REFEDs MFA and also look at what’s on backside for the IDP, including business process,
- organizations may not have all the tools to confidently assert the needed attributes.
- Big motivators in the US will be grant funding requirements from NIH or NSF; this would get research community and administrative attention
- Would CACTI encourage CTAB to endorse REFEDs MFA as part of Baseline Expectations?
- Could stand up a template explaining the baseline capabilities for doing “business” with NIH and NSF
- InCommon requires MFA for some roles, not for site administrators
- Should the InCommon certificate service require MFA? See https://spaces.at.internet2.edu/x/7YfdBg;
- NIH and New Assurance Requirements in 2021
- Ann: NIH is looking to require MFA in 2021
- Moderate assurance will be required for access to certain NIH services, this will impact research institutions
- At CAMP in November, NIH will be showing a tool to check assurance readiness
- Ann: There will be an NIH presentation at CAMP on Monday Nov 16.
- Goal is to engage the attendees , probably at an ACAMP session, on what it will take to implement this by a certain date.
- Jeff Erickson will lead the discussions.
- Goal is to come out of the sessions with a plan going forward for communication, education, advocacy.
- Identity Proofing
- Is there a need for a standard identity proofing service (Identity Proofer of last resort)?
- Are there services that federations can make available to IDP operators around identity proofing?
- Employment process frequently requires identity proofing
- Need to keep records and pass them thru the technology tool chain
- Identity Proofing and Credential Binding are two different processes in some cases
- Login.gov is helpful, but only for US residents
- For global collaborations there remains a big challenge
- Handling authentication for foreign nationals for research collaborations in Europe, Africa and Asia.
- Matthew: Hope to take this up with edugain https://edugain.org/
- Christos: Good news from Europe, E-IDAS service is being used for students and researchers
- Additional Comments:
- "Ready for research" sticker, SSL Labs-type grading?
- Administration asked for this as efforts went online due to COVID-19
- It would be great to have an ACAMP session on this
Not discussed on this call
- Modern auth impacts to EDUROAM - any tasking needed for EDUROAM Steering?
- Aligning our thinking with InCommon TAC around deployment profile requirements (e.g. https://docs.kantarainitiative.org/fi/rec-saml2-Deployment-profile-for-fedinterop.html)
- (From June 9, 2020 call) TomJ - Add as an agenda item for a future CACTI call: Operationalizing containers
Next CACTI Meeting: Tuesday, November 24th, 2020