CACTI Call Tuesday, March 16, 2021
Attending
Members
- Rob Carter, Duke, (Chair)
- Les LaCroix, Carleton College (Vice-Chair)
- John Bradley, Independent
- Joshua Drake, Indiana University's Center for Applied Cybersecurity Research
- Matthew Economou, InCommon TAC Representative to CACTI
- Stoney Gan, University of South Florida
- Michael Grady, Unicon
- Kevin Hickey, Detroit Mercy
- Barry Johnson, Clemson
- Chris Phillips, CANARIE
Guests
- Slavek Licehammer, Evolveum
- Nathan Dors, U Washington
Internet2
- Kevin Morooney
- Ann West
- Steve Zoppi
- Nicole Roy
- Emily Eisbruch
Regrets
- Marina Adomeit, SUNET
- Margaret Cullen, Painless Security
- Marina Krenz, REN-ISAC
- Jeremy Perkins, Instructure
- Bill Thompson, Lafayette College
Action items from this call
- AI - Rob reach out to the CACTI email list to start to gather contacts and use cases for upcoming discussions around OIDC.
- AI - Rob reach out to leaders of Banner Integration working group to talk with CACTI, AnnW will do intro with MattB
DISCUSSION
Administrivia
- Internet2 Intellectual Property Agreement reminder
- CACTI Charter pointer
Upgrade Fatigue
- The CANARIE community is doing Shib IDP v4 upgrades, there is some fatigue in staying current, some want to do this “in the cloud”
- Others noted they also feel Shib IDP upgrade fatigue
- Upgrades in general create workload / fatigue. It’s not just Shib that requires upgrades
- Hope to think strategically about this topic
- AWS reference architecture is helpful, more materials like that would be beneficial
- General topic of “making it easier” is a repeated request
- MikeG: A small percent of clients Unicon works with are using containers; running in a container is not that simple
- This topic of Shib upgrades is related to SAML federation and multilateral federation discussion, slated for next CACTI call, (Federation futures discussion)
MidPoint group - WG / BOF
- The new MidPoint working group charter is taking shape
- Slavek and Bill K are working on the charter
- CACTI agreed on the March 2, 2021 CACTI call that it is OK to move ahead with the group
- There have been conversations on the working group structure
- Decided it should be a CACTI chartered working group
- Target for first meeting of this new working group meeting is end of March
- Will continue on conversations around process for chartering working groups
- This chartering experience has revealed some gaps
- AnnW: Internet2 Trust and Identity is in the process of hiring a new community success manager, who will look at working group structure / management issues
Banner Working Group
- KevinH joined Banner Integration WG call recently
- May be ready to bring their Banner Integration work to the broader community
- AI - Rob reach out to leaders of Banner Integration WG to talk with CACTI, AnnW will do intro w MattB
OIDC Working Group
- Rob and others had a good discussion recently with Keith Wessel, InCommon TAC chair, about the OIDC working group, finishing the group’s report, and next steps
- KeithW spoke w NathanD about advancing the final report that was in draft mode
- CACTI can take advantage of the draft report and move it forward, use it as springboard for discussing community interest in OIDC
- It was noted that it will be helpful to focus on use cases we want to support, what are the gaps, in particular for the research side
- There are concerns about the complexity of current suggested implementations
- CACTI to focus on use cases, TAC to focus on technical issues
- Nathan encourages close examination of the use cases
- U Washington has deployed OIDC plug in
- Some research communities are already deploying OIDC
- If more people know about the deployments, it could have more impact
- Jim Basney of CILogon might be willing to talk with CACTI about research use cases
- NIH Commons is using technologies including OAUTH2 and OIDC to implement researcher authorization service. Wealth of knowledge there
- There are some use cases, organizations in process of getting funding to build out structure
- Nathan: need to find out more about what problems organizations are having.
- Simplifying integration is important, SAML is perceived as complex
- ChrisP: there is related work going on in the OIDF R&E Working group https://openid.net/wg/rande/ working group
- There is work in flight about standardizing, Roland H and others are participating
- https://wiki.refeds.org/display/GROUPS/OIDCre
- Is best venue for discussion the OIDC mailing list? SIG? User group? There are discussions on the best way to coordinate those moving forward.
- AI: Rob reach out to the CACTI email list to start to gather contacts and use cases for upcoming discussions around OIDC.
Secrets Management
- Secrets management has some limits and is expensive
- Came up late last year, and was reinforced as topic of concern by solarigate experience.
- Secrets are everywhere, can’t avoid having passwords, keys
- Concerns on how well they are maintained and managed
- CI/CD (Continuous Integration / Continuous Delivery) causes proper secrets management to be increasingly important,
- containers, cloud services
- Secrets management impacts the trust side of trust and identity
- Identity services moving into the cloud
- Trust fabric we rely on inside federation relies on proper management of secrets
- If private keys get compromised, this is serious problem (Solargate, golden token)
- Managing keys separate from the the things that use the keys
- Amazon and Google have services to safeguard keys
- Nicole: this conversation is related to “what do we do about multilateral stuff?”
- Key management is hard with one key
- Without SAML, some parts of key management becomes easier
- But need to put more work into the IDP
- HSM to secure signing key
- Can provide examples of the best practices in Trusted Access Platform
- IDP as a Service conversation, perhaps provide recommendations around secrets management
- How many orgs represented on the call are using key management solutions? About 5?
- IDPs and SPs both must worry about key management
- Hard getting orgs to use cloud infrastructure providers?
- This topic may impact the Internet2 NET+ conversation
- It would be great if we could assert "these providers are doing a good job"
- Secrets management has some limits and is expensive
Parking Lot
- "Whither multilateral SAML?"
Next CACTI Meeting: Tuesday, March 30th, 2021