CACTI Call Tuesday, January 19, 2021 

Attending

Members

  • Rob Carter, Duke, (Chair)  
  • Les LaCroix, Carleton College (Vice-Chair)  
  • Marina Adomeit, SUNET   
  • John Bradley, Independent  
  • Margaret Cullen, Painless Security  
  • Joshua Drake, Indiana University's Center for Applied Cybersecurity Research   
  • Matthew Economou, InCommon TAC Representative to CACTI 
  • Kevin Hickey, Detroit Mercy 
  • Marina Krenz, REN-ISAC   
  • Barry Johnson, Clemson  
  • Jeremy Perkins, Instructure  
  • Chris Phillips, CANARIE  

Internet2 

  • Kevin Morooney   
  • Ann West   
  • Steve Zoppi    
  • Nic Roy  
  • Emily Eisbruch  
  • Mike Zawacki   

Regrets

  • Stoney Gan, University of South Florida
  • Michael Grady, Unicon
  • Bill Thompson, Lafayette College

Discussion


 OpenID Foundation Browser Interactions Working Group (Nic)  

  • The OpenID Foundation Browser Interactions Working Group recently held its first meeting.
  • The  Browser Interactions WG is discussing changes the browser vendors are making to browser handling of cookies in the name of privacy protection. 
  • The changes present challenges for  SSO protocols that use those cookies. 
  • The changes of concern are happening in Google Chrome world. Microsoft Edge is also impacted. Apple is also making changes to ITP that  impact this.
  • First call of the Browser Interactions WG was last week,
    • There was strong attendance, including industry representation. 
  • From CACTI, Chris Phillips, John Bradly, and Nic participated. Would be good to have additional participation.
    • If interested in this effort, sign up for the openid-specs-ab (“Attribute Binding” aka OpenID Connect) working group  
    • Calls are Wednesdays 2pm ET
    • Nic shared the call invite with the CACTI list
    • There is also a slack channel on the Internet2 slack where InCommon TAC is discussing this. 
    • Contact Nic if you would like an invitation to that Slack channel

  • John Bradley is encouraging Google privacy sandbox people to participate in the Browser Interactions WG.  
  • Privacy sandbox may be overreaching beyond cookies
  • Google may be interested in filtering authentication transactions to limit IDPs from harmful actions
  • There may be a need to use in-browser privacy sandbox hooks
  • But if those hooks don’t support SAML assertions, could be blocked completely 
  • Privacy sandbox should support different sorts of assertions, not just ID Tokens/JWT  (JSON Web Tokens )
  • There's a risk that SAML will be squeezed out
  • Timeline for the changes? There is already a build. 
  • Like the SameSite Cookie rollout, the risks are real
  • Samesite cookie issue arose somewhat suddenly
  • In this case we have more notice 
  • In future Internet2 or CACTI may want to have a formal relationship with the OpenID Foundation Browser Interactions Working Group
  • Charter of OpenID Foundation Browser Interactions Working Group is to draft a formal response from OIDC Foundation to Google and other concerned parties. 
    • Need to sign IPR agreement for membership in OIDC Foundation


GÉANT T&I Incubator 1H2021 board meeting on Jan 25, 2021 (Nic)

  • R&D Group, Nic participates
  • See: https://wiki.geant.org/display/gn43wp5/TII+Call+for+Ideas
  • Dashboard: https://wiki.geant.org/display/gn43wp5/Incubator+Dashboard
  • Let Nic know if you have ideas for R&D items for first half of 2021, via the CACTI discussion Slack channel
  • Marina is involved with the incubator for GEANT.
  • The incubator is looking at topics in 6 month frame
  • There is a call with the community every 6 months to propose topics
  • Look at technologies and feasibility, may produce reports, may implement a small proof of concept, 
  • They prioritize projects of interest to wider community

Educause Security Professionals Conference (virtual) (via Jill G.)

  • June 8 - 20, 2021
  • IDM track will be available this year
  • Call for Proposals due out in early February

Cloud Services Cookbook refactoring in REFEDS (Guest- Keith Wessel, chair of InCommon TAC)

  • Cloud Services Cookbook Location in REFEDS wiki
  • There is an effort to revise/update the Cloud Services Cookbook 
  • Cloud Services Cookbook was produced by the Big Ten Academic Alliance, then the CIC, nearly six years ago, and only minimal efforts have been made since then at updating it.
  • Cookbook was written to be conversational, using plain English
  • Some material needs updating
  • For example there are mentions of older identifiers
    • edupersontargetedID is now deprecated
  • Doesn’t include the new OASIS SAML subject identifiers
  • Cookbook is too US specific
  • The cookbook has guides for IDP operators, cloud services deployers, developers, 
    • These contain an intro paragraph and links to specific sections of the cookbook.
    • These did NOT get pulled into the REFEDs version, but there is an archive of it, hope to resurrect it 
  • There is some overlap between Cloud Cookbook and Kantara SAML2Int v2 document.
  • Kantara SAML2Int is more proscriptive
  • Even if a service is in the cloud, there can still be interop needs
  • To help encourage good working deployment, we need to include links to the appropriate reference materials
  • Explain not just technical motivation, but get more buy-in for SAML deployment profile
  • Potential topic for the incubator: GEANT fund a playground?
  • Playground is in line with testing tools that InCommon TAC is now prioritizing
  • Like how AWS reference architecture uses fill-in-the-blanks approach
  • Suggestion not to use lynda.com as case study anymore since it no longer supports multilateral federation
  • Question of “where do I run IDP” is  not currently addressed in Cloud Services Cookbook, six years ago there was less identity in the cloud
  • Question of "why do I move to the cloud? " is something REFEDs could discuss during revamping of the cookbook
  • Suggestion to revisit topics IDP as a Service Working Group looked at. 
  • IDP as a Service talks about user database, (on premise or in cloud)
  • Add info on bridging between clouds, for example, one cloud for IDP and another for Service Provider
  • Comment: expected to see more on possible exposure of identity info (including location) when moving to cloud
  • Much of cookbook is SAML specific. Should it be more agnostic?
  • Perhaps add analysis of safety of running SAML in the cloud add best practices around this
  • Suggestion to be protocol agnostic, but add specifics on SAML and perhaps others
  • Issue of how you manage sign-on keys, when you don’t have physical DPM.
  • Would be helpful to cover secret management
  • SteveZ: need clarity on difference between protocol and services.  Protocol is just the transport mechanism.   
  • There are issues with how people run services and looking at secure protocols for transport. Secure backbone is one  example
  • Deployment patterns, protocols sometimes less opaque than they should be
  • Security on endpoints, LDAP protocols, what type of encryption on LDAP and on authentication. Looking at all the nuts and bolts
  • Reference architecture should match the concerns here
  • Deployment profile will eventually get baked into reference architecture
  • Contact Keith (  kwessel@illinois.edu ) if you are interested in participating in the Cloud Services Cookbook update/refresh


Did not discuss at this CACTI call, save for next call  

  • Questions from CACTI members about last meeting's presentation on committees and InCommon/Internet2 structures (Kevin, et. al.)
  • CACTI representative to Trust and Identity Program Advisory Group (Rob/Les/Kevin)
    1. Does CACTI still need a rep on PAG?
    2. Volunteer needed if so
  • Final report of the CACTI OIDC Working Group (Rob)
    • Next steps to get this completed
  • Preferred method of communication between meetings- Slack, mailing list, … ?
  • First major discussion topic of 2021 - please see list of topics that came out of end-of-2020 ideation compiled by Rob (Rob)
    1. eduroam best practices guide as drafted by the eduroam advisory committee


Next Meeting: Tuesday, February 2nd, 2021

  • No labels