CACTI notes of Wednesday, March 27, 2024

Attendees: Judith Bush, Tom Jordan, Kevin Hickey, Gabor Eszes, Richard Frovarp, Les LaCroix, Mike Grady, Gareth Wood, Margaret Cullen, John Bradley

With: David Walker, Nicole Roy, Andrew Scott, Steve Zoppi, Sara Jeanes

Regrets: Ann West, Kevin Morooney, Rob Gorrell, Rob Carter

Pre-Read Materials: 

Notes of March 6th open working meeting at community exchange

Consultation for the CACTI Next-Generation Credentials Working Group Final Report

Action Item Review:

 Agenda

  1. Administrivia
    1. Volunteer(s) to scribe: Judith, Kevin H
    2. Agenda bash
  2. Announcements
    1. Working Group Updates (email only) - Please share via email on the CACTI list ahead of time
    2. Certificate Service Redesign webinar, April 2nd (registration link)
  3. Main Business

    1. Take-aways from Community Exchange
      1. Gabor summarizes the CACTI open meeting: small turn out - see in the notes for that meeting (Maarten Kremers as last name may not be in the notes)
        1. Much of discussion revolved around next-generation credentials.  What to do about the working group report?  What role can CACTI/Internet2 play? 
        2. What do current campus deployments look like?  
      2. Margaret Wallet discussion
        1. Strong interest in wallet technologies
        2. What is out there?  How is it being used? The technologies are often not deployed from IAM (Blackboard, CBORD).  Management/governance of ID cards varies widely across institutions.
      3. Re the campus cards for doors etc vs other IAM uses for the digital Ids
        1. The access control boundaries may begin bleeding from physical to networked
        2. Ideas:
          1. Survey where campuses are “
            1. hundreds are using or will be using” based on vendors
          2. Who runs?
            1. Identity teams sometimes
            2. A “Card Center” office
            3. Dining
            4. Physical plant
          3. Different use case for credentials and different presentation; selection
          4. Standardization discussion
            1. Discovery
            2. Account/key/wallet recovery and trust around that recovery (“what’s at the bottom of the credential and wallet issuance / recovery pyramid?”)
            3. Ensuring the trust graph is sufficiently featured to accommodate our issuance, verification and other use cases
        3. What is at the base for assurance of account recovery mechanisms? 
          1. Easy if using a “General Purpose Subject Identifier”  but harder to sort out if “Pairwise Subject Identifier” is desired
        4. CACTI can develop profiles and articulate the differences 
          1. Profiling the trust registry requirements
          2. Profiling the RP identifier requirements
          3. Profiling recovery requirements
          4. Profiling assurance requirements
          5. Profiling issuance requirements
          6. Profiling different types of VCs
            1. Examples:
              1. Student/Faculty/Staff ID for use in the bookstore, door access, meal plans
              2. Authentication-type ID for use in access to electronic services
                1. Local
                2. Federated (are they even different?)
              3. Academic credential VCs (microcredentials as well as transcripts, professional certifications - three different things)
          7. These profiles can be started off as “plain English” and translated into technical requirements.
          8. Along with profiling, it might be helpful to state what we know (or believe we know) at this point - for example, we believe that people will have more than one wallet.
  1. Final edits to NGCWG final report and discussion of feedback from Tom Barton
    1. See Tom Barton’s feedback
      1.  Libraries have these types of use cases.
      2. Privacy and security issues
    2. Membership revocation and confidentiality
    3. Attribute release to authorized parties
    4. Gareth - On the discussion around credential compromise/revocation/loss - and needing to re-establish and verify identity.  The underlying trust and identity verification model is a challenge to get right.  Relying on say drivers license is fine, until that state or government is compromised themselves e.g. subject to a spearfishing attack or similar.  So where you build your trust model is a critical decision - and maybe we should make some statement/recommendations on that?
    5. AI: Nicole work with Tom Barton to get a use case put together to address his feedback, and include it in an appendix to the report. Give 48 hours for CACTI feedback, then issue the report.
  2. 2024 CACTI Work Plan
    1. Topics mentioned at CommEx
      1. Next steps for NGCWG, and wallet work in general in our community
        1. Trust model and registries and their requirements (Nicole suggests we start with a WG to profile requirements for a trust registry for VC issuance and wallets in R&E)
          1. Ask Dimitri to be involved in drafting the charter.
        2. Types of credentials and their requirements
        3. Wallets and FedCM 
        4. Should there be a higher ed wallet – maybe
          1. Others are working on wallets.  We need to stay abreast of developments.
        5. There are concerns about running multiple working groups.  Limited bandwidth of person likely in multiple groups.
        6. FYI! April 9, day-long EDUCAUSE session on digital credential platforms (Will be recorded and distributed later, as well)
        7. AI: New WG charter: Margaret, Tom J, Gabor, Judith, Nicole, Dmitri, Kevin H, Leif (?) as drafters of trust registry requirements WG. 
        8. Effort to survey the existing ecosystem - Vendors / Institutions
        9. Schemas, attributes for Open Access Science 
          1. REFEDS appears to be gearing up for this work already; redirect involvement there and track
      2. eAC workstreams and RADIUS stuff
        1. Two things EAC is looking at EDURoam & Radius
          1. IETF is deprecating Radius over UDP, moving towards RadSec. We secure with something above that  - EAP via secure tunnel for authN, eg TLS exchange of credentials  – but other information is exposed at the Radius level – where and who the person is can be tracked to 30 ft (depending on length of captured traffic) SPs are releasing the information that exposes this information.  IdPs can track where you are (which might be a feature) but it’s exposed in traffic….

The concerns about RADIUS/UDP security and privacy are not an issue when using EAP/RADIUS/UDP (as eduroam does) when all of the participants (i.e. eduroam IDPs and SPs) follow a set of recommended practices.  One of the things Baseline Expectations could include is a requirement to follow those practices.

AI: Margaret write a letter to eAC asking for a Baseline Expectations program for trust in eduroam. Will share with CACTI for input/feedback on the letter. Encourage eAC to reach out to CTAB for input/guidance on the process. CTAB happy to work with eAC. David Bantz and Richard Frovarp are good CTAB contacts.

  1. Other topics
    1. Certificate Service Redesign
      1. April 20, 2024 webinar AI: CACTI folks join if you can

Next Meeting: Wednesday, April 24, 2024

  • No labels