CACTI notes of Wednesday, January 3, 2024

Attendees: Kevin Hickey, Les LaCroix, Judith Bush, Rob Carter, Gabor Eszes, Chris Phillips, John Bradley, Kevin Mackie, Gareth Wood, Margaret Cullen, Tom Jordan

With: Kevin Morooney, Nicole Roy, Andrew Scott, Mike Grady, Steve Zoppi, Ananya Ravipati, Erik Scott, Richard Frovarp, Ann West, David Walker, Rob Gorrell

Regrets: 

Reminders

  1. Transparency is a critical part of CACTI's duty to the community. Please promptly approve, edit (or indicate reason for disapproval) of minutes after they are posted.

    1. Notes of December 3rd, 2023 meeting - Approved! Thanks all!

Pre-Read Materials: 

  1. Final report of the CACTI Next Generation Credentials Working Group

Action Item Review:

 Agenda

  1. Administrivia
    1. Volunteer(s) to scribe
    2. Agenda bash
  2. Announcements
    1. Working Group Updates (email only) - Please share via email on the CACTI list ahead of time
    2. 2024 CACTI leadership (Nicole)
  3. Main Business
    1. Follow-up on NGCWG final report revision / possible acceptance vote
      1. Additional material is needed.  Will be passed to the working group after revisions are completed.
        1. In-person(offline) vs online presentation is not addressed fully in the report 
        2. Typos in report 
        3. The affinity and ROI are not clearly achieved.  
        4. Focus on the trust fabric provided by the Federation..  Use cases where all participants are members of the federation. Do use cases that require membership in a particular federation achieve the goals of the technology?
        5. Does the document speak to what happens if we don’t do anything? What are the risks? 
        6. AI. Cover letter for what CACTI thinks is needed for the report.  “There is a lot to done here, how we can move forward”  Frame the need.  
        7. Formatting and number conclusions.
        8. Standards bodies need concrete asks, cross federation use cases.  
        9. Community Exchange in March - There are no openings.  Nicole is flywheel for a wallet discussion.  
      2. The report raises the question of what is the next step?  Where should the focus be placed?
      3. Intercampus usage scenarios could be a simple starting point.  Intracampus usage is the focus for Internet2 
        1. Blackboard had a campus card product. It might not be theirs anymore. CBORD is the other big camps card product. We used to use Blackboard at NDSU, and we now use CBORD. For CBORD the physical card is various types of RFID and there is the idea that you can somehow use the phone to pop open locks on doors through a reader instead of using the DESFire chip on the card
      4. Discussion on various aspects of the document
        1. DW: use cases may come organically from services that want to use the credential 
        2. JB: core principle– how can we leverage the trust business into these credentials 
          1. Use case observation: in person vs online presentment and the technology may be different for different scenarios
          2. Presence of the ‘of age’ presentment activity in both online and in person – the flows are different.
          3. NR: being able to present the ‘offline’ case of the contents of the wallet are a thing but likely an edge case.. Not necessarily something to be solved at the beginning but will be something asked about ‘does this fit the use case?’
        3. GaborE: worthwhile separating the inperson/offline presentment suggested as a way to separate things
          1. Recommendations around value proposition being not complete → (NR) techEx readiness was paramount which 
          2. NR: other challenge – community participation was not the best despite the high profile topic it was.. 
        4. GaborE: can we highlight the higher value items to handle and then focus on those (paraphrased by scribe)
          1. Ex: The university needs to verify the origin of the transcript from high school 
            1. Is that ‘high school’ part of Internet2 and are they a member that can participate?
          2. Ex2: focus on research collaborations instead to try and 
        5. Marg: we should aspire to not change what the working group said
        6. TomJ <from meeting chat>

A thought for how to classify the use cases as we engage the community:

  1. What things are we doing today that we cannot do in the future, unless we adopt next-gen credentials?
  2. What new things could we do that we can't do now if we were to adopt and support next-gen credentials?
  3. What unique Higher Ed structures / infrastructures are needed for institutions to adopt next-gen credentials?

Just thinking from the perspective of an institution that is trying to evaluate the risks and drivers to determine what's most important.

  1. There is a current gap highlighted by the University and High School use case.  K-12 are not typically members of the federation.
  2. There is an opportunity to experiment.  To figure out where trust resides in this new technology ecosystem.
  3. JohnB: almost all interesting use cases are interfederation use cases which are different from others (AAMVA (American Association of Motor Vehicle Administrators - “The Drivers’ License People™” - they are monolithic and self sovereign, don’t care about interop with others for the most part. Our use cases depend on interfederated interop)
    1. A view of the world where a verifier is part of one trust hierarchy is not going to work well. 
    2. What are these trust relationships,
    3.  how are we going to express them, 
    4. how does one get into the trusted circle?  
    5. Who verifies the wallets being use? 
    6. Observations: what was old is new again and now 
    7. There is some work on pseudo anonymous statistics to have confirmation to have receipt of the claims.
    8. OIDVP to have anonymized stats (OpenID VP)
  4. KevinH: how do we take this report and use it as formative material to other working groups?  
    1. How do we get it out to the community to help instigate more interest.
  5. NicoleR: There’s a process that can help bring the material to the forefront 
  6. KevinH: the intranet use case seems most interesting so campus one card.
  1. Margaret is working on how to get consensus on ‘do we have enough’ to proceed
  2. John B: Things are changing quickly.  My concern is if we wait for perfection we may not get anything out.   A question is should we have something to present at Community Exchange in March
  3. ChrisP: expressed some considerations on the gravitas/importance of the work and how can we convey this with the small sampling of things.  CP agrees with John B of not waiting for perfection and TomJ’s suggestion of a cover letter (preface?) that would accompany the work.
  4. JohnB: what are the concrete asks, the use cases that can be used for inputs to the groups that 
  5. NicoleR: wallet panel upcoming  CommX (Community Exchange). No actual CACTI time on it.
  6. Margaret: are there clear enough messages from the material to help inform the panel
  7. NR: IAMOnline could be a place for the conversation as well
  8. Gabor: Q’s around process → is WG expected to produce the final report? Ans: yes, the group should produce a report and then the output has community review.
    1. Much of what we want out of the process is also about what we want next from the consultation.. Which means we [should] know what we want next.
  9. Margaret: some of the cover letter can highlight some of the next steps to have them guide us 
  10. From the chat re: where to bring the use cases: 
    1.  openID (oid4VC, OID4VCI, Federation), w3c WICG for browser API.  ISO around MDL,  EU Large scale pilots DC4EU specifically
  11. Gabor: how can we unlock more value from the use cases and then offer pathways to continue to engage
  12. RobC: WG was chartered to come back to CACTI, and we need it to go beyond the CACTI’s walls as we know it today.. 
    1. If we go the route of cover letter, here’s how it was chartered, what we think it means, and how can we help you move it forward.
  1. Logistics on edits: 
    1. If editing core content, then express as comments
    2. If adding cover material, ok to add in.
  2. CACTI 2024 work plan
    1. Next-generation credentials (see above) Better to discuss after completion of the working group report
    2. Google Chrome third-party cookie turn off (Impacts : SLO, seamless access - discovery service)
      1. Judith explains some of the cookie challenges
        1. Sidenote: Heather Flanagan has an updated slide deck on it here: https://docs.google.com/presentation/d/1xsIC_zxmIKOFHycYiyjic15ukeiNI-WS/edit#slide=id.p1
        2. Discussion on some of the implications 
    3. Privacy enhancing technologies that impact federation authentication.
      1. Some of the video reference material: https://www.youtube.com/watch?v=B3_f9BlA5cs&t=6s  
      2. Meeting notes from W3C: https://github.com/fedidcg/meetings 
      3. Next meeting Feb 9 https://github.com/fedidcg/meetings/blob/main/2024/2024-01-09-agenda.md 
      4. FedCM as a replacement for authentication.  It is not a fit for federated scenarios
        1. What can CACTI do?
          1. Engage with outside bodies
          2. Call to action for the larger community to engage.  Educate of threats to SAML?
          3. REFEDS (working group) coordinating response to these issues. If you are interested reach out to Judith  
            1. Wallets can address some of the issues but not all
          4. Framing the risks to the community? 
          5. Internet2 (CACTI) can facilitate entry into the communities where these discussions are taking place.  Getting the right people in the right place
      5. AI  IAM Online with REFEDS to discuss these issues

Next Meeting: Wednesday, January 31, 2024



  • No labels