CACTI Call Tuesday, March 16, 2021

Attending

 Members

• Rob Carter, Duke, (Chair)   
• Les LaCroix, Carleton College (Vice-Chair)  
• John Bradley, Independent  
• Joshua Drake, Indiana University's Center for Applied Cybersecurity Research  
• Matthew Economou, InCommon TAC Representative to CACTI   
• Stoney Gan, University of South Florida 
• Michael Grady, Unicon 
• Kevin Hickey, Detroit Mercy 
• Barry Johnson, Clemson  
• Chris Phillips, CANARIE    

Guests 

• Slavek Licehammer, Evolveum 
• Nathan Dors, U Washington

 Internet2 

• • Kevin Morooney    
  • Ann West    
  • Steve Zoppi    
  • Nicole Roy 
  • Emily Eisbruch  

Regrets

• Marina Adomeit, SUNET
• Margaret Cullen, Painless Security
• Marina Krenz, REN-ISAC
• Jeremy Perkins, Instructure
• Bill Thompson, Lafayette College

Action items from this call

• AI - Rob reach out to the CACTI email list to start to gather contacts and use cases for upcoming discussions around OIDC.
  
• AI - Rob reach out to leaders of Banner Integration working group to talk with CACTI, AnnW will do intro with MattB
  

 DISCUSSION

 Administrivia

• Internet2 Intellectual Property Agreement reminder
  
• CACTI Charter pointer
  
  

Upgrade Fatigue 

• The CANARIE community is doing Shib IDP v4 upgrades, there is some fatigue in staying current, some want to do this “in the cloud”
  
• Others noted they also feel Shib IDP upgrade fatigue 
  
• Upgrades in general create workload / fatigue. It’s not just Shib that requires upgrades
  
• Hope to think strategically about this topic  
  
• AWS reference architecture is helpful, more materials like that would be beneficial
  
• General topic of “making it easier” is a repeated request
  
• MikeG: A small percent of clients Unicon works with are using containers; running in a container is not that simple
  
• This topic of Shib upgrades is related to SAML federation and multilateral federation discussion, slated for next CACTI call, (Federation futures discussion)
  

MidPoint group - WG / BOF  

• The new MidPoint working group charter is taking shape 
  
• Slavek and Bill K are working on the charter
  
• CACTI agreed on the March 2, 2021 CACTI call that it is OK to move ahead with the group
  
• There have been conversations on the working group structure
  
• Decided it should be a CACTI chartered working group
  
• Target for first meeting of this new working group meeting is end of March
  
• Will continue on conversations around process for chartering working groups
  
• This chartering experience has revealed some gaps  
  
•  AnnW: Internet2 Trust and Identity is in the process of hiring a new community success manager, who will look at working group structure / management issues

Banner Working Group

• KevinH joined Banner Integration WG call recently
  
• May be ready to bring their Banner Integration work to the broader community
• AI - Rob reach out to leaders of Banner Integration WG to talk with CACTI, AnnW will do intro w MattB

OIDC Working Group   

• Rob and others had a good discussion recently  with Keith Wessel, InCommon TAC chair, about the OIDC working group, finishing the group’s report, and next steps
  
• KeithW spoke w NathanD about advancing the final report that was in draft mode
  
• CACTI can take advantage of the draft report and move it forward, use it as springboard for discussing community interest in OIDC
  
• It was noted that it will be helpful to focus on use cases we want to support, what are the gaps, in particular for the research side
  
• There are concerns about the complexity of current suggested implementations
  
• CACTI to focus on use cases, TAC to focus on technical issues
  
• Nathan encourages close examination of the use cases
  
• U Washington has deployed OIDC plug in 
  
• Some research communities are already deploying OIDC
  
• If more people know about the deployments, it could have more impact
  
• Jim Basney of CILogon might be willing to talk with CACTI about research use cases
  
• NIH Commons is using technologies including OAUTH2 and OIDC  to implement researcher authorization service. Wealth of knowledge there
  
• There are some use cases, organizations in process of getting funding to build out structure
  
• Nathan: need to find out more about what problems organizations are having.
  
• Simplifying integration is important, SAML is perceived as complex
  
• ChrisP: there is related work going on in the OIDF R&E Working group   https://openid.net/wg/rande/ working group    
  
•  There is work in flight about standardizing, Roland H and others are participating
  
• https://wiki.refeds.org/display/GROUPS/OIDCre
• Is best venue for discussion the OIDC mailing list? SIG? User group? There are discussions on the best way to coordinate those moving forward.  
  
• AI:  Rob reach out to the CACTI email list to start to gather contacts and use cases for upcoming discussions around OIDC.
  

Secrets Management

• • Secrets management has some limits and is expensive
    
  • Came up late last year, and was reinforced as topic of concern by solarigate  experience.
    
  • Secrets are everywhere, can’t avoid having passwords, keys
    
  • Concerns on how well they are maintained and managed
    
  • CI/CD (Continuous Integration / Continuous Delivery) causes proper secrets management to be increasingly important,  
    
  • containers, cloud services
    
  • Secrets management impacts the trust side of trust and identity
    
  • Identity services moving into the cloud
    
  • Trust fabric we rely on inside federation relies on proper management of secrets 
    
  • If private keys get compromised, this is serious problem (Solargate, golden token)
    
  • Managing keys separate from the the things that use the keys
    
  • Amazon and Google have services to safeguard keys
    
  • Nicole: this conversation is related to “what do we do about multilateral stuff?”
    
  • Key management is hard with one key
    
  • Without SAML, some parts of key management becomes easier
    
  • But need to put more work into the IDP
    
  • HSM to secure signing key
    
  • Can provide examples of the best practices in Trusted Access Platform
    
  • IDP as a Service conversation, perhaps provide recommendations around secrets management
    
  • How many orgs represented on the call are using key management solutions? About 5?
    
  • IDPs and SPs both must worry about key management
    
  • Hard getting orgs to use cloud infrastructure providers?
    
  • This topic may impact the Internet2 NET+ conversation
    
  • It would be great if we could assert "these providers are doing a good job"
    

Parking Lot

1. "Whither multilateral SAML?"
   

Next CACTI Meeting: Tuesday, March 30th, 2021