CACTI notes of Wednesday, May 24, 2023

Attending: Rob Carter, Marina Krenz, Margaret Cullen, Kevin Hickey, Rob Gorrell, Stoney Gan, Richard Frovarp, Jeremy Perkins, Mike Grady, Chris Phillips

With: Nicole Roy, Steve Zoppi, Ann West

Regrets: John Bradley, Derek Owens, Steven Premeau, Les LaCroix, Barry Johnson, David Walker, Eric Scott, Gareth Woods


Pre-Read Materials: 

  1. NIST IAM Roadmap draft (if you haven't already read it)
  2. Feedback document for NIST IAM Roadmap draft (please add your feedback if you have not yet)
  3. CACTI next items / roadmap slides from Chris P, 2022 TechEx
  4. https://datatracker.ietf.org/doc/draft-dekok-radext-deprecating-radius/
  5. https://datatracker.ietf.org/wg/radext/about/ 

Action Item Review:

 Agenda

    1. Administrivia
      1. Please say your name when you start to speak, until we learn each others' voices
      2. Please ask colleagues to define terms, expand acronyms, etc, until we learn each others' jargon
      3. It's ok to challenge your colleagues in pursuit of quality of discourse. Hopefully in a nice way
      4. Please disclose any conflicts of interest you may have in any of the agenda topics, and potentially excuse yourself from the relevant conversations
      5. Please use the CACTI scribing doc
      6. Internet2 Intellectual Property Agreement reminder
      7. CACTI Charter pointer
  • Volunteer(s) to scribe (new standing item)
      1. Agenda bash
    1. Announcements
      1. Working Group Updates (email only) - Please share via email on the CACTI list ahead of time
    2. Main Business

      1. Status update on Passwordless Authentication and Password Managers blog (Kevin H)
        1. Looking for help on wrapping this up
          1. Volunteers:
            1. Marina Krenz
            2. Rob Carter
      2. Engaging with Connie LaSalle at NIST on information security in the research space (Ann)
        1. President signed the CHIPS act
        2. NIST asked to engage the community about what’s out there, what’s working, what’s not working
        3. Connected with Ann via Network Services
        4. Breath of fresh air - policy officer in a standards-developing area, willing to think about adoption of standards
        5. Discussed what InCommon is/does, mentioned our longevity and size
        6. Mentioned the next-generation credentials working group, connection with GÉANT, EIADAS 2, NIST is interested in EIDAS 2
        7. Offered NIST participation in our next-generation credentials working group
        8. AI: Margaret will send Ann an invitation to the NGCWG to pass along to Connie/her team
        9. Discussed REFEDS MFA profiles and SIRTFI, sent her pointers to these
        10. NIST is willing to discuss the Roadmap with CACTI.  Possibly attend a meeting; Wed. 21st June may be possible 
        11. AI: Ann will make introductions (Connie, Margaret, Kevin H, Nicole)
        12. Would be good to have 
      3. Status of feedback and next steps for the NIST IAM Roadmap draft (Margaret/Kevin H/Nicole)
        1. This correlates well with NISTs willingness to collaborate.
        2. AI: Nicole Message to CACTI list to clarify who made all comments.  
        3. Document needs to be cleaned up for submission. (Nicole, Kevin, Chris, et al)  AI: Nicole Send rough draft to mailing list, Slack channel
        4. Is there an opportunity for CACTI to share outputs with NIST? Working group reports, IAM Onlines.
      4. Status of and next steps for spinning up next-generation credentials use cases working group (Nicole)
        1. Announcement/invitation is ready to be sent.
        2. Early conversations are promising regarding interest in participation.
      5. Getting the eAC to start thinking about what happens when IETF deprecates RADIUS over UDP (Margaret)
        1. RADIUS as a protocol has several identified security/privacy weaknesses.
        2. The IETF plans to address these weaknesses and this will have an impact on eduroam. Timing is the first half of 2024.  The perception may be that there is a security issue with eduroam.
          1. A response to this perception is required.
        3. The eduroam development call, run by GÉANT, discussed this yesterday (Paul Dekkers runs this call)
        4. Existing privacy controls - anonymous outer identity, wrap everything in TLS.  The controls require user knowledge and action.
        5. Malaysia/Finland have used geteduroam/certs to mitigate a bunch of this. Use client certs. 
          1. Vendors appear to be making it more difficult to utilize client certificates for wifi.
        6. EAC is responsible for the US frontend.  This is a large topic that needs to be divided into workable items.
          1. Are there steps that can be taken to better secure the US portion of eduroam?
  • AI: Margaret Communicate with EAC to begin review 
    1. Priority discussion for next work items (Margaret)
      1. CACTI roadmap slides from December 2022
      2. FEDCM is not on the list yet is one of the more important discussions currently ongoing.
        1. Status.  Push to direct browser manufactures to utilize a standards process to implement this type of change.
        2. Browsers are moving forward with these technologies.
        3. Internet2 is in the process of joining the W3C in part to address this issue
        4. AI: Add Nicole to next agenda to provide update on FEDCM
      3. AI: Margaret, Kevin, Nicole Review the roadmap and create a proposed prioritization at the next planning meeting.

Next Meeting: Wednesday, June 21, 2023

  • No labels