CACTI notes of Wednesday, August 16, 2023

Attending: Margaret Cullen, Kevin Hickey, Derek Owens, Stoney Gan, John Bradley, Richard Frovar, Rob Carter, Michael Grady, Chris Phillips, Kevin Mackie, Gareth Wood

With: Nicole Roy, Etan Weintraub, Steve Zoppi, Kevin Morooney, Steven Premeau

Regrets: David Walker, Marina Krenz, Erik Scott

  1. Administrivia
    1. Volunteer(s) to scribe
    2. Agenda bash
    3. We have a CACTI open working meeting which will focus on discussion of results from the Next-Generation Credentials Working Group at Internet2 Tech Exchange in Minneapolis the morning of September 20th. Please try to attend TechEx if you can.
  2. Announcements
    1. Working Group Updates (email only) - Please share via email on the CACTI list ahead of time
    2. (Nicole) June and July minutes approved, thanks all. I will post to the public wiki.
  3. Main Business

    1. Discussion and approval of final report of the Linking SSO Systems Working Group (with Etan Weintraub and Brian Arkills, co-chairs) - Etan can join from 1:30-2:00 ET
      1. Working group has addressed previous feedback provided by CACTI
      2. This report contains good raw material, but it doesn't seem to include much synthesis from the material, nor does it provide much in the way of meaningful comparisons or conclusions. (Margaret from Slack)
      3. Assumption of report.  
        1. Single login not multiple logins across services.  
        2. MFA was out of scope.
      4. Working group compiled an inventory of linking methods and the consequences of the decision.  Since the working group MS has released their guidance (https://learn.microsoft.com/en-us/azure/active-directory/architecture/multilateral-federation-introduction)
      5. Follow-on work needed in another WG or elsewhere? From Margaret:
        1. Should we suggest another round, to focus on these, to TAC? Or something else?
          1. Documentation of recipes for those strategies, along with guidance regarding the benefits and risks of different strategies and key differentiating and selection factors (eg.REFEDS MFA support, exposure of relying party identities, SLO, etc.)   
          2. Recommendations for improvements to community-sourced (and/or commercial) SSOsolutions in support of either reducing the need for or facilitating the linking of SSO systems.
          3. Security and privacy reviews of solutions.  Is this something that should be undertaken? 
        2. Federation Proxies report interplay
          1. When you link two SSO systems together the way the WG considered, you're basically doing the same thing with one of them that a proxy does -- the details are just a little different. (Rob)
      6. Working group report accepted by CACTI
        1. Next steps: AI: Nicole remove the noted two columns, do next steps for publication, send link to final publication place to WG participants/chairs
        2. AI: CACTI leadership: Convey final report to TAC, start a discussion with TAC on next steps, if needed, share our commentary on the remaining gaps and possible next steps with them.
    2. Report-out on next steps for RADIUS security from the eAC (Rob Gorrell) (Rob is confirmed, may be a few minutes late for the call)
      1. Assumptions: Agreement that RADIUS/UDP will likely  not be removed from popular products, RADIUS/UDP can be run securely by following certain guidelines, as discussed in the email.
      2. Current working group developing the next version of best practices/baseline expectations.  
        1. Once best practices are established how do we determine the current level of compliance? 
          1.  EAC will develop a metric to be reported monthly to assist in determining the gap between best practice and existing deployments.
        2. Gauging behavior first, and comparing against recommendations and building up deployers’ knowledge of best practices is a great first step
      3. There is a risk of allowing any configured device to connect to eduroam.  
      4. Ongoing discussions about geteduroam, eap/tls and certificates and MFA.
    3. Next steps with NIST
      1. Potential NIST representation at TechEX
      2. NIST is working to synchronize the next-gen credentials  terminology between the US and EU 
      3. NIST participation in the NGCWG.  Use cases from NGCWG should include discussion of trust models.
      4. AI: CACTI leadership ping NIST about the shared terminology doc for VCs/Wallets between NIST and EU. Then, we should promulgate with the next-gen credentials working group for use/alignment.
      5. Also need to engage with NIST on trust model requirements (link to David Walker and Jill Gemmill’s trust model document)- example: A flat PKIX trust model will not work for everything (drivers licenses, as an example. Also multilateral SSO federations)
      6. NIST/NIH alignment on identity proofing requirements / IALs
        1. Also discuss how these map to REFEDS assurance levels from the REFEDS Assurance Framework
      7. Discuss 800-63(C) feedback?  Most of our feedback on 800-63 was on the (C) document.
        1. AI: CACTI Leadership: Ask Tom Barton (leader of 800-63 feedback group) to reach out on how our feedback was handled
        2. Related to discussion about on IALs.
      8. Do we have a documented trust model for the existing federation? A protocol neutral way. 
        1. https://incommon.org/federation/trust-model/ 
        2. Also: https://technical.edugain.org/documents 
        3. This could be useful to the discussion of next-generation credentials and other future discussions.
        4. The value of InCommon federation is not SAML, the value of eduroam is not RADIUS.  
    4. Brain-drain / community challenges open discussion
      1. Potential for survey in the future
        1. Timeline may be next calendar year
      2. ACAMP session talking about the topic 
        1. A good piece of the solution but it may not reach all the constituencies we are trying to reach.
        2. Basecamp was created as an onramp to address the “bigger tent vs new tent”
      3. InCommon IAM Online as a possible communication channel
      4. Ask the SO to reach out to their communities for feedback.
      5. A potential report on the number institutions using eduroam that do not use the federation or certificate services (Kevin M)
      6. (Rob G) The eAC is bringing mini-mobility day Monday at TechEx2023 this year for the first time.
      7. AI (Rob G) TechEx session on this topic.  Is there room?
      8. Subgroup to coordinate / plan the potential outreach.  Volunteers Margaret, Nicole Others are needed. 
      9. https://ifirexman.sifulan.my/# 
  • No labels