Attending

Members: Marina Krenz, Erik Scott, Stoney Gan, Mike Grady, Richard Frovarp (CTAB), Kevin Hickey, Steven Premeau (TAC), John Bradley, Chris Phillips, Licia Florio

With: Ann West, Kevin Morooney, Nicole Roy, Steve Zoppi, David Walker

Regrets: Rob, Les

  • Administrivia
      1. Internet2 Intellectual Property Agreement reminder
      2. CACTI Charter pointer
  • Agreements:
        1. Please say your name when you start to speak, until we learn each others' voices
        2. Please ask colleagues to define terms, expand acronyms, etc, until we learn each others' jargon
        3. It's ok to challenge your colleagues in pursuit of quality of discourse. Hopefully in a nice way
        4. Please disclose any conflicts of interest you may have in any of the agenda topics, and potentially excuse yourself from the relevant conversations
  • Volunteer(s) to scribe (standing item)
        1. Please use the CACTI scribing doc
  • Agenda bash
  • Announcements
  • Notes approvals needed, if you have not approved or requested modification the minutes from June 21 and July 19, please do so (Nicole)
    1. Rob, Chris, Nicole meeting with Max Pala from CableLabs re: Post-quantum crypto next week, more to come
      1. AI: Nicole verify it’s OK to share with CACTI, then send to the list if so
      2. Discussion about algorithmic agility being most important thing to think about/plan for
      3. DOCSIS cable modems- 500 million embedded certs- this is what Max is primarily concerned with in his work
      4. Data formats necessary to support new algorithms
      5. Actual algorithms - the data formats (containers) need to accept these algorithms, not sure what those algorithms are yet
      6. Most of the activity outside of the Crypto Forum Research Group (CFRG) is focused on pluggability
      7. There is no one place to have this conversation - very diffuse
      8. Keeping tabs means listening in a few different places
      9. Differences in what is happening at the app level, out of necessity (example: JOSE vs. TLS) W3C/XMLDSIG/etc. Everyone seems more concerned with blockchains and wallets. W3C membership required for work on XMLDSIG, for example. Licia notes membership is EUR7800/year.
    2. Note about renomination and “good people know good people” types of nomination solicitation
      1. Interested in who CACTI members / reps from other groups think would be good to encourage to nominate. We really only have two people who go to IETF that we know of from Europe: Leif, maybe one other. Is this a reflection that work on standardization is happening elsewhere now? It’s a shame for our community to not have more participation in this space. 
      2. Vendors in this space - Microsoft, Okta, etc. With limited staffing on campuses, it’s likely more will go to these types of services. Having their input is useful. We need to understand what they’re doing, but historically we as a community have not wanted IAM disintermediated by private entities. 
    3. Heads-up, next time we will be joined by Etan Weintraub and/or Brian Arkills, and discussing the report-out from the Linking SSO Systems WG, there will be a pre-read
  1. Main Business
    1. From Steve Zoppi in Component Architects group July 25, 2022:
      “Steve: Should CACTI be discussing the higher-education and research position we should be taking on the constellation of these: Self-Sovereign ID / Wallet / WebAuthN / passkey (portable authenticator) / etc ?” Yes.
      1. Here's our running CACTI Topic Tracker Spreadsheet for the backdrop and welcome comments on column L 'what next'.
      2. Shift in Component Architecture in 2023 - officially chartering it, it had come out of the TIER investment from a number of years ago. Steve has been chairing the group. We need to think about how we are going to structure the relationships between the various groups. Today this consists of the principals on the Trusted Access Platform components. Also need to include the InCommon Catalyst program partners - formally extending invitation to them to participate. They represent the community, too. Need to understand both what they and we are hearing from the community.
      3. Providing solutions - Stuff brought up in PAG, Steering, TAC, CACTI, CTAB. Some of this stuff takes years to build, so need to get ahead of this. The topics we choose in CACTI, for example, are really important because they can put changes in motion that have an 18-month window to completion., at the pace that we are able to sustain it. Need to balance resourcing, priorities. 
      4. Need to understand what must be focused on. Lots of potential topics: SSID/Wallets/other topics-du-jour. How to get ahead of it in developing actions that can be taken in the components to address the things we *need* to be ahead of, so a solution is available at the time it’s needed. Avoid being reactive. 
      5. Apportionment of features - we also have to worry about adoption of these features, training, etc. These in and of themselves are part of the balance/mix.
    2. Pitching ideas - writing stories to convince stakeholders that something needs to be invested in, but then using the money is very challenging - trying to do the administrative pieces, solicitation, contracting is very, very challenging. Holds true in EU and US. 
      1. Petitioning for greenfield/new stuff - unfunded, will never see light of day
      2. Sustainability challenges at our participant institutions - see them coming 3-5 years down the road, need to plan for these *now*. 
      3. The practitioners within the component architects community have more than enough sustainability work to do on their components. 
      4. High friction to getting stuff started
      5. Demand on services providers/partners is increasing
    3. Example of a trigger for this conversation: The IAM Online on Passkeys. Your point of entry is still a password- you have to have a password to bootstrap your passkey. End up with an administration problem. Building UIs is a big challenge. Do we need to build a UI that expresses capabilities around things like managing Passkeys? Building UIs that work well and are easy for users to navigate takes a long time. So this is an example of a direction: Do we need to go in it? Other? Passkeys is not new, been around for 4 years. MS/Apple branding it differently, yields confusion. We need to translate from jargon into the lingua franca that our community speaks. So, this one is really about webauthn. Credential lifecycle. The question is: What does this mean to us? This group needs to think about this with a different outcome in mind: We are going to bind this group and the other governance groups with Component Architects in a new way. Asking to help us get ahead of that somehow, but helping us choose what is on our radar, and that thing needs to stay on our radar and cannot be fluid. 
    4. Moving from opportunistic binding to formalized binding of Component Architects
    5. Need a better ranked-list of the things on the spreadsheet above. Whether it be webauthn, quantum, etc. 
    6. AARC blueprint, CACTI priorities, etc. 
    7. Also a question not just of what we can produce in the components, but what the community can afford to deploy. 
    8. All the blueprints we’re seeing look like “as-is” rather than “to-be”- The Null in the Null Hypothesis test we are trying to apply: is this a “to-be” that will fall within the next 18 months? Then great. If it’s outside of that, not of interest to component architects because it has no impact on something actionable. Need to look at things that have a probability of greater than 50%, Gartner probability of > 0.6. 
    9. Cryptographic agility is a feature of the architecture, not the architecture itself
    10. “Zero Trust Architecture” → Group-based architecture deployment and the discipline to use it. 
    11. AI: Chris, Rob, Nicole think about next steps: In order to develop the list, what would CACTI need? What and why?
      1. The *base reference* deployment - a coarse diagram of the most common type of assemblage of the components. “This is the most important component”
    12. This is *not* constrained to the software - “Development priorities” can be service-related, too
    13. What can we do to ensure the list is pretty “stable” or minimally evolved for the next 2-3 years or so?
    14. At TechEx: A high-level articulation of the recommendations - maybe. Lot of work in-flight right now. Measure twice, cut once, need some “bake time”. This is not going to be a single event- this is a mode of communication on an ongoing basis between CACTI, Components, other governance groups. 
    1. Subgroup formation? Volunteers needed
    2. Working doc supplied by Apryl Motley, TI Communications Lead
    1. Working group updates (questions only – info to be sent in advance via email)
    2. Strategic investments in the future of (trusted, federated) authentication
    3. Did not get to this item, discuss next time?
      Planning for IAM Online in November: Outsourcing IAM, what do you need to keep in-house?

Next meeting: Tuesday, September 13

  • No labels