CACTI notes of Aug.  17, 2021

Attending

Members

• Rob Carter, Duke, (Chair)   
  
• Les LaCroix, Carleton College (Vice-Chair)   
  
• John Bradley, Independent   
  
• Joshua Drake, Indiana University's Center for Applied Cybersecurity Research   
  
• Matthew Economou, InCommon TAC Representative to CACTI   
  
• Michael Grady, Unicon   
  
• Kevin Hickey, Detroit Mercy   
  
• Marina Krenz, REN-ISAC   
  
• Barry Johnson, Clemson    
  
• Chris Phillips, CANARIE    
  

Internet2 

• Kevin Morooney   
  
• Ann West    
  
• Steve Zoppi, Internet2   
  
• Emily Eisbruch   
  
• Netta Caligari  
  

 Regrets

• Marina Adomeit, SUNET
  
• Margaret Cullen, Painless Security
  
• Stoney Gan, University of South Florida
  
• Jeremy Perkins, Instructure
  
• Bill Thompson, Lafayette College
  
• Nicole Roy, Internet2  
  

Action items

• AI Rob - touch base with Marina K to schedule Discovery / Seamless Access  as a future topic for CACTI Action Item from Aug 17 , 2021
  
•  AI Rob -- reach out to JohnB and Shilen about the U2F issue  Action Item from Aug 3 , 2021
  
•  AI  Rob,  Les and Nicole - work on putting structure around the discussion of CACTI Spheres of Influence. Action Item from July 20 , 2021
  
• AI - Rob and Les - slot the user centric identity  topic into a future CACTI agenda. Action Item from March 30, 2021
  
• AI - Rob reach out to the CACTI email list to start to gather contacts and use cases for upcoming discussions around OIDC.  Action Item from March 16, 2021
  

 Discussion

Administration

• Internet2 Intellectual Property Agreement reminder
  
• CACTI Charter pointer
  

2022 CACTI nominations and voting (Netta and Rob)

• CACTI terms are three years  
• CACTI  can have 9 to 15 members per the charter
  
  • There is the possibility to add more members to CACTI 
• Nominees must be in place by October
  
• There is a nominations and voting process, that Netta Caligari will administer
  
• Two upcoming opportunities to reach out to the community to potentially inspire interest in joining CACTI:
  
  • Sept IAM Online working group update, with chairs sharing what’s going on in working group space
    
  • CAMP session in early October https://www.incommon.org/academy/camp-meetings/2021-camp-week/
    

InCommon TAC update (Les)  

• InCommon TAC minutes: https://spaces.at.internet2.edu/x/_QHkAg
  
• TAC has recently discussed InCommon Discovery Service
  
• Some changes are required and  choices being looked at
  
• SWITCH, which produced SWITCHWAYF, the software InCommon Federation uses for Discovery Service, will no longer be maintaining the code 
• InCommon cannot take on maintaining this code.   
• Seamless Access could become the discovery service for InCommon 
• Uncertain if InCommon would join the Seamless Access Content Delivery Network (CDN) or run its own discovery service, (a copy of Seamless Access).  
  
  •  InCommon does not want to lose visibility. Some concern about branding invisibility 
    
• The current InCommon discovery service is only used by a small number of service providers
  
• We could promote this new seamless, consistent, standardized approach to align user experience
  
• Seamless Access approach came out of the publisher community
  • they did a lot of work on user experience
  • Leif Johansson http://leifj.people.sunet.se/ was the primary architect behind Seamless Access
    
• Are there newer and better features in the Seamless Access discovery service?
  
  • Presentation to end user is improved
    
• Marina Krenz is on the Seamless Access team, now as product manager.
  
  • 3rd party access impacts usage of Seamless Access, when integrated on the SP side
    
  • From the SP side, info kept in local browser storage, and not in cookies, cannot be fetched, it can be visible in Central Discovery Service of Seamless access, but not in the button
    
• Some of the browsers have postponed decision  to ban 3rd party access, for Chrome two more years
  
• Seamless Access is looking at implementing workarounds when needed
  
  
• Chris P:  Canadian Access Federation uses SWITCH WAYF with a Docker container.   
  
• Some constituents want everything in the federation, or they want to run their own discovery service
  
• In Azure, discovery is iron clad.
  
• Is this a slippery slope?
  
• Are we limiting access for new services?
  
• Some organizations don’t want to sign in with federated credentials
  
• Many do their own thing and use embedded discovery service
  
  
• KevinM: Can’t imagine eduroam without ubiquitous single  SSID 
  
• It would be good to have homogeneous discovery everywhere, deployed the same way.
  
•  It would look more like eduroam.
  
• Could be game changer for federation
  
  
• Seamless access is being run by GEANT
  
• All national federations are engaged
  
• MarinaK is happy to be part of ongoing conversations
  
• In the Seamless Access roadmap: ability for SP to filter the IDPs available
  
• Branding requirements are being looked at 
  
• AI Rob - touch base with Marina K to schedule Discovery Service / Seamless Access  as a future topic for a CACTI call
  
• Thanks to Les for the update
  

Post IAM Online on Secrets, Supply Chains, and Securing Trust in the New Normal - discussion and next steps (Rob)

• Recording from Aug 11, 2021 IAM Online: https://internet2.hosted.panopto.com/Panopto/Pages/Viewer.aspx?id=8febcb33-8bce-4e4a-9cb2-ad8200e75a10
  
• Thanks to everyone who helped with / spoke at the IAM Online
  
• About 50 attendees
  
• Got through slide deck and had time left over
  
• Last slide was on “how can you get involved”
  
• Now CACTI should think about how to create spaces for continued engagement
  
• Potential New Working Groups? 
  • Suggested spinning off working groups under CACTI to talk about specific aspects of this
    
  • Good idea: working groups should focus on security and privacy
    
  • Suggestion that working groups should be narrowly focused and have an end date in mind
    
  • A working group to develop a Deployment Guide , like the Grouper Deployment Guide, for Shib or other tools
    
  • SteveZ: The Component Architects group has been discussing Grouper Deployment Guide equivalents for Shib and other tools;
    curation of the deployment guide must involve developers
    
  • Matthew: would like to see a comprehensive guide on what a Devops deployment should look like, end to end
    
  • Matthew Would like to help create this
    
  • Rob: should CACTI flesh out what deployment guides should cover?
    
  • Chris: Conversation started around secrets management and supply chain
    
  • Agreed we need to scope any working group appropriately
    
  • SteveZ: concern on creating documents that are quickly obsolete
    
  • ChrisP: Push to patterns, not things
    
  • Kudos to Shib Consortium and the trusted access platform team for looking at patterns and abstractions, as part of running IDPs as a service  
    
  • Ann noted that there is a DevOps course in Canvas that will be free and available   
    
    • A working group could look at and review this DevOps Course 
      
    • There is material exists now, but is  not available to public yet
      
    • The DevOps course has been delivered for 2 years to the Collaboration Success program participants
      
  • Discuss more in future meetings
    
    
    

Not discussed at this CACTI call:

• CACTI “Spheres of Influence” inventory and gap analysis (suggested by Kevin Morooney on June 21 call)
  

Next CACTI Meeting: Tuesday, August 31, 2021