CACTI notes of Wednesday, March 6, 2024 (CACTI Open Meeting at 2024 Community Exchange)

Attendees: Margaret Cullen, Tom Jordan, Gabor Eszes, John Bradley

With: Steve Zoppi

Regrets: everyone else

And non-member guests: Dmitri (DCC), Amy Apon (NSF/Clemson), Martin (SURFnet), BennO (SCG)

  1. Quick overview of CACTI and its mission and goals
  2. CACTI 2024 Priorities
    1. Incommon Futures2 Report
    2. Con’t Next-Generation Credentials
    3. Con’t eduRoam Advisory COmmittee
  3. Digital University IDs in the US
    1. Mostly proprietary, not interoperable
    2. Some movement to standardize these using the mobile drivers license protocol
    3. Often these are a separate, parallel identity issuance (and consumption) ecosystem distinct and not directly integrated (in technology and lifecycle) with existing IAM ecosystems
    4. Maybe other ecosystems? What do we focus on?
  4. TomJ: We should work on all of these but primarily standardization.
  5. JohnBradley: It may be a bad idea to overload a credential for all sorts of disparate uses. It’s okay that some of these technologies are used in specific ways. We are not to assume that everything will boil down to one credential.
  6. Dmitri: CACTI has an opportunity to highlight what’s happening in emerging standards.
  7. Dmitri: Keep the OpenWallet foundation on radar. They’re curating open source implementations of software for this.
  8. Dmitri: CACTI has the opportunity to fulfill a needed niche: host directories for mapping for institutions, i.e. trust registry.
  9. TomJ: We talk a lot about establish trust, we don’t talk a lot about discovery.
  10. GaborE: the trust registry is a natural extension of the SAML trust federation stuff InCommon is already doing. Maybe this is more at home at CTAB or TAC.
  11. -some discussion about working groups and homing work-
  12. SteveZ: We can bring in work (i.e. catalysts) if we need to
  13. SteveZ; We’re not wedded to SAML. Our work and our community transcends protocols.
  14. TomJ: I need to:
    1. Help my institution understand how the future looks like
    2. Give them a blueprint how to achieve that future
    3. If there are gaps in the process, let’s have a community to learn from
  15. Quick introduction of non-CACTI folks
    1. Dmitri (Digital Credentials Consortium/MIT)
      1. Working directly on protocols for digital identities
    2. Amy Apon (NSF/Clemson)
      1. Rotator from Clemson to the NSF
      2. Clemson uses digital credentials almost exclusively
      3. NSF has a couple programs relevant to this committee
        1. CC* – campus cyberinfrastructure
        2. CICI – cybersecurity innovations for cyber infrastructure
    3. Sakane (Japan Academic IDM Federation)
      1. Interested in interop / policy
      2. Developing an auth proxy
      3. Interested in the topics CACTI is currently covering
    4. Martin (SURFnet NL)
      1. Works on eduGAIN delivery
    5. BennO (SCG, catalyst)
      1. Q: In a previous project where they merged campus card identity with digital IAM identity… Previously the topic of physical ID card at e.g. an Internet2 conference never really came up… what are the use-cases we are interested in the federated community consuming physical identity?
  16. TomJ: Perhaps we need to think of Wallets as holding local credentials AND federated credentials.
  17. -discussion about federation usecases vs. insitutional usecases and the unintended consequence of use of one types of credential outside of the contexts for which it was intended
  18. John Bradley: we’re working on a wallet selector (and the notion of it) to select the intended wallet for the transaction
  19. Margaret: this further overloads the term ‘wallet’, creating user confusion
  20. Dmitri: we’re coming back to the role of CACTI in this whole thing. Are we gonna see one whole credential to rule them all, or are we gonna see lots of microcredentials? CACTI could supply guidance. Internet2 could also serve as an aggregator of assertions to prevent info leakage (i.e. a proxy to hide the real issuer underneath)
  21. Margaret: Will federated consumption require local credentials anyway? We don’t yet know the answer.
  22. John Bradley: we’ve come from a world where issuing credentials was hard. That’s changing with verifiable credentials. We can have additional credentials (perhaps with additional data supplied issued as long as it’s seamless (that’s the challenge)
  23. Gabor: this will make verifying credentials harder, the issuers may not even be in the trust graph, and enriching with self-asserted into inflight is not always appropriate
  24. John Bradley: then we need a better trust graph
  25. Margaret: What can CACTI do to in this area?
  26. Tom Jordan: let’s start with the use-cases identified by the Nextgen Creds WG and enumerate how things would change
  27. Margeret: In order to do that, we have to have a good understanding of what the vendors are already doing and what the standards are going to be
  28. GaborE: how many universities are using digital campus ID cards? What is the size of the problem? Vs. how many are consuming gov’t issued IDs? We need to consider each issuance/consumption pattern separately and then group them later.
  29. TomJ: vendors are pushing phonewallet-resident IDs pretty hard
  30. Margaret: eduRoam stuff:
    1. there are efforts in IETF to improve RADIUS security.
    2. There is a need to raise awareness about RADIUS/EAP-based roaming
    3. Efforts underway to expand footprint of eduroam
    4. A number of issues have been identified with eduroam routing on a global level
  31. What do you think we should focus on (from our guests):
    1. Dmitri: trust registries
    2. BennO: schemas, attributes for Open Access Science
  • No labels