CACTI notes of Wednesday, March 29, 2023
Attending: Les LaCroix, Marina Krenz, Derek Owens, Kevin Hickey, Richard Frovarp, Rob Gorrell, Rob Carter, Erik Scott, Chris Phillips, Gareth Wood, Stoney Gan
With: Steve Zoppi, Nicole Roy, David Walker, Ann West
Regrets: Margaret Cullen (maybe), John Bradley, Steve Premeau, Barry Johnson
Reminders
- Transparency is a critical part of CACTI's duty to the community. Please promptly approve, edit (or indicate reason for disapproval) of minutes after they are posted.
Pre-Read Materials:
- See working doc on verifiable credentials and wallets for pre-reads and initial asynchronous discussion and fact-finding ahead of the call
Action Item Review:
Agenda
- Administrivia
- Please say your name when you start to speak, until we learn each others' voices
- Please ask colleagues to define terms, expand acronyms, etc, until we learn each others' jargon
- It's ok to challenge your colleagues in pursuit of quality of discourse. Hopefully in a nice way
- Please disclose any conflicts of interest you may have in any of the agenda topics, and potentially excuse yourself from the relevant conversations
- Please use the CACTI scribing doc
- Internet2 Intellectual Property Agreement reminder
- CACTI Charter pointer
- Agreements:
- Volunteer(s) to scribe (new standing item)
- Agenda bash
- Announcements
- Working Group Updates (email only) - Please share via email on the CACTI list ahead of time
- Main Business
- FedCM report-out and next steps (Nicole/Chris P)
- FedCM (protocol)
- The thing we’re trying to help with to enable “lowering shields” the browser may have imposed, in the context of user-trusted single sign-on
- FedIDCG (community group in the W3C)
- Curation of the work
- Trying to get the W3C group to understand why we’re suggesting a change to FedCM to support massive numbers of IdPs (as we have in R&E feds)
- FedCM is embedded in Chrome already (108+)
- W3C membership is free if you wish to contribute
- Proof that our community can have a positive impact in industry if we are open to participating
- Passwordless authentication blog post - gaps and next steps (Kevin H)
- Still in-progress - but time is a bit freed up, will work on this asap
- Helpful to describe where password managers live in the ecosystem of “authentication stuff” - may be useful to distinguish password managers from other stuff, “here’s where they’re useful”
- Verifiable credentials and digital wallets
- Revisiting action items from last time:
- We need to map out where we want to be in the next couple months:
- Spinning up a sub-group: Kevin Mackie, Chris Phillips, Rob Carter
- Model for engagement: The 800-63-4 review group
- Do we need an R&E-specific wallet, or just R&E specific credentials?
- It’s likely more about the communities that we serve- will this be a method that they want to use?
- First to-do from a use-case perspective: Think about the scenarios in which our communities might interact with these things. Example: Student shows up with a digital drivers’ license at orientation/registration. What do we do with that? Example: Student shows up and wants us to issue a credential into a wallet that they already have (Google, Apple wallets, etc.)
- Is this a sufficiently narrow scope to be able to write a charter? Yes
- Yes. Would like to probably select a popular / well-suited use-case to then pursue a proof-of-concept implementation based on.
- Student ID is an example. Use existing digital wallets to start but don’t exclude the possibility of an educational digital wallet in the future
- Do we want to worry about all functions of a wallet, or only certain? These questions will likely be answered by the use-cases gathered.
- Protocol translation - at the wallet level, at the proxy level, etc.
- How do Shib/TAP fit into the solution space? Do
- Discussing a bit with NSF large facilities people
- Proof of “academic-ness” or “government-ness” to hotels or other entities for discounts
- Alumni accounts - “cradle to endowment” - email access for alumni to their .edu email address
- Revocation
- Policy around disclosure
- What do we want to do about this in the next three months?
- POC of use case
- User control of attribute release
- Potential partners. Cirrus Identity, MS - Entra
- Divvying up the work / working groups
- Use case development - open working group with the community
- Drafters of charter:
- Rob Carter
- Marina Krenz
- Kevin Mackie
- Chris Phillips
- Nicole Roy
- Kevin Hickey
- AI: Nicole will get this group together to draft a charter - would be good to note the unique things that VCs/etc bring to the table - user-centric/privacy-preserving stuff. [DONE]
- 90 to 120 day scope
- Report back to CACTI regularly
- Culminate as an update at TechEx in September
- Members from all over our larger community
- AI: Nicole grab CACTI a working/open meeting time slot at TechEx [DONE]
- Goal: Charter done before our next call; Will iterate on it in the slack channel
- AI: All: Plan to attend TechEx in Minneapolis in September
- Other working groups?
- Internet Identity workshop (date/time?) Opportunity to discuss this topic with a wider audience - April 18-20th, Mountain View, CA
- “What is the concept we want to prove?” - trying to find a use case that involves the more explicit control that a user has over the release of their information.
- Privacy preserving controls and revocation. How is use restrained once the credential has been placed into the wallet.
- Additional subtopics?
- AI from last call: Go over the output from last year - Chris and Rob C’s discussion at TechEx.Things that we may want to prototype in this space?
- 20221207-ChrisPhillipsRobCarter-TandIOutlook2022.pptx - Google Drive
- TLS cert lifetimes getting shorter again- Browsers want to go down to 90-day cert lifetime
- eduGAIN governance model changing - scalability
- 802.1x authentication using FIDO tokens (eduroam)
- IETF extension to RADIUS to allow BGP type of routing. Margaret interested
- https://www.eduvpn.org/ (Gareth Wood) Update moving forward.
Next Meeting: Wednesday, April 26, 2023