CACTI notes of Wednesday, May 24, 2023
Attending: Rob Carter, Marina Krenz, Margaret Cullen, Kevin Hickey, Rob Gorrell, Stoney Gan, Richard Frovarp, Jeremy Perkins, Mike Grady, Chris Phillips
With: Nicole Roy, Steve Zoppi, Ann West
Regrets: John Bradley, Derek Owens, Steven Premeau, Les LaCroix, Barry Johnson, David Walker, Eric Scott, Gareth Woods
Pre-Read Materials:
- NIST IAM Roadmap draft (if you haven't already read it)
- Feedback document for NIST IAM Roadmap draft (please add your feedback if you have not yet)
- CACTI next items / roadmap slides from Chris P, 2022 TechEx
- https://datatracker.ietf.org/doc/draft-dekok-radext-deprecating-radius/
- https://datatracker.ietf.org/wg/radext/about/
Action Item Review:
Agenda
- Administrivia
- Please say your name when you start to speak, until we learn each others' voices
- Please ask colleagues to define terms, expand acronyms, etc, until we learn each others' jargon
- It's ok to challenge your colleagues in pursuit of quality of discourse. Hopefully in a nice way
- Please disclose any conflicts of interest you may have in any of the agenda topics, and potentially excuse yourself from the relevant conversations
- Please use the CACTI scribing doc
- Internet2 Intellectual Property Agreement reminder
- CACTI Charter pointer
- Volunteer(s) to scribe (new standing item)
- Agenda bash
- Announcements
- Working Group Updates (email only) - Please share via email on the CACTI list ahead of time
- Main Business
- Status update on Passwordless Authentication and Password Managers blog (Kevin H)
- Looking for help on wrapping this up
- Volunteers:
- Marina Krenz
- Rob Carter
- Engaging with Connie LaSalle at NIST on information security in the research space (Ann)
- President signed the CHIPS act
- NIST asked to engage the community about what’s out there, what’s working, what’s not working
- Connected with Ann via Network Services
- Breath of fresh air - policy officer in a standards-developing area, willing to think about adoption of standards
- Discussed what InCommon is/does, mentioned our longevity and size
- Mentioned the next-generation credentials working group, connection with GÉANT, EIADAS 2, NIST is interested in EIDAS 2
- Offered NIST participation in our next-generation credentials working group
- AI: Margaret will send Ann an invitation to the NGCWG to pass along to Connie/her team
- Discussed REFEDS MFA profiles and SIRTFI, sent her pointers to these
- NIST is willing to discuss the Roadmap with CACTI. Possibly attend a meeting; Wed. 21st June may be possible
- AI: Ann will make introductions (Connie, Margaret, Kevin H, Nicole)
- Would be good to have
- Status of feedback and next steps for the NIST IAM Roadmap draft (Margaret/Kevin H/Nicole)
- This correlates well with NISTs willingness to collaborate.
- AI: Nicole Message to CACTI list to clarify who made all comments.
- Document needs to be cleaned up for submission. (Nicole, Kevin, Chris, et al) AI: Nicole Send rough draft to mailing list, Slack channel
- Is there an opportunity for CACTI to share outputs with NIST? Working group reports, IAM Onlines.
- Status of and next steps for spinning up next-generation credentials use cases working group (Nicole)
- Announcement/invitation is ready to be sent.
- Early conversations are promising regarding interest in participation.
- Getting the eAC to start thinking about what happens when IETF deprecates RADIUS over UDP (Margaret)
- RADIUS as a protocol has several identified security/privacy weaknesses.
- The IETF plans to address these weaknesses and this will have an impact on eduroam. Timing is the first half of 2024. The perception may be that there is a security issue with eduroam.
- A response to this perception is required.
- The eduroam development call, run by GÉANT, discussed this yesterday (Paul Dekkers runs this call)
- Existing privacy controls - anonymous outer identity, wrap everything in TLS. The controls require user knowledge and action.
- Malaysia/Finland have used geteduroam/certs to mitigate a bunch of this. Use client certs.
- Vendors appear to be making it more difficult to utilize client certificates for wifi.
- EAC is responsible for the US frontend. This is a large topic that needs to be divided into workable items.
- Are there steps that can be taken to better secure the US portion of eduroam?
- AI: Margaret Communicate with EAC to begin review
- Priority discussion for next work items (Margaret)
- CACTI roadmap slides from December 2022
- FEDCM is not on the list yet is one of the more important discussions currently ongoing.
- Status. Push to direct browser manufactures to utilize a standards process to implement this type of change.
- Browsers are moving forward with these technologies.
- Internet2 is in the process of joining the W3C in part to address this issue
- AI: Add Nicole to next agenda to provide update on FEDCM
- AI: Margaret, Kevin, Nicole Review the roadmap and create a proposed prioritization at the next planning meeting.