CACTI Call Tuesday, March 30, 2021

Attending

  Members

• Rob Carter, Duke, (Chair)  
• Les LaCroix, Carleton College (Vice-Chair)  
• Margaret Cullen, Painless Security   
• Joshua Drake, Indiana University's Center for Applied Cybersecurity Research   
• Matthew Economou, InCommon TAC Representative to CACTI 
• Kevin Hickey, Detroit Mercy  
• Marina Krenz, REN-ISAC   
• Barry Johnson, Clemson  
• Chris Phillips, CANARIE  
• Bill Thompson, Lafayette College  

 Internet2 

• Kevin Morooney  
• Ann West   
• Nicole Roy  
• Emily Eisbruch   

 Regrets

• Marina Adomeit, SUNET
• Stoney Gan, University of South Florida
• Michael Grady, Unicon
• Jeremy Perkins, Instructure
• John Bradley, Independent   
• Steve Zoppi, Internet2

 Action items from March  30, 2021

• AI - Rob and Les - slot the user centric identity  topic into a future CACTI agenda
• AI - Rob and Les - form ideas to share with CACTI for continuing the secrets management discussion with others in the community
  

Action items from March 16, 2021

• AI - Rob reach out to the CACTI email list to start to gather contacts and use cases for upcoming discussions around OIDC.
  
• AI - Rob reach out to leaders of MidPoint/Banner Integration working group to talk with CACTI re: Banner, (AnnW did intro with MattB)  .  (Note Banner WG is folding into the MidPoint WG)
  

Discussion

 Administrivia

• Internet2 Intellectual Property Agreement reminder
  
• CACTI Charter pointer
  

Announcement 

• FYI. Internet2/InCommon posted the Community Success Manager position.
• This staff person, when hired, will be helping with the community-source working groups/support
• as well as facilitating CAMP/ACAMP, our key in-person engagement event.
  
• https://www.linkedin.com/jobs/view/2467439211/
  

Agenda bash

• It will be helpful to send “agenda bash” items to the chairs prior to the CACTI call when possible, or discuss them at the end of the call
  
  • This will help us complete the planned CACTI meetings agenda 
    

User centric identity (Bill Thompson proposed this  prior to the call): 

• • Lafayette College has been using  Trusted Access Platform components for several years,
  • at a plateau now
  • shift towards more user centric identity
  • looking at what capabilities are needed to support the college mission
  • keeping in mind diversity, equity and inclusion,
  • used to be we would assign L number and user name, it was preordained by algorithms or rules,
  • now working on a document to use for Lafayette College, might have a broader community discussion, 
    
  • Q: Could user centric involve self-sovereign?
    
  • A: Maybe, goal is that users need to be able to drive their digital identity to a greater degree
    
  • What is a good place for this conversation? 
    
  • It’s of interest to CACTI
    
  • AI CACTI chairs will slot the user centric identity  topic into a future CACTI agenda
    
    

MidPoint Working Group 

• Working group charter
• Working group Wiki  
  
• First call of the new working group was earlier today and it went well. 
  
• 22 people attended
  
• The working group will meet every 2 weeks.
  
• Demo of CSP workbench by Keith Hazelton is planned at an upcoming MidPoint WG call 
  
• WG charter is more or less final, a few tweaks made today
  
• Humming consent 
  
• Agreed that CACTI has chartered the MidPoint Working Group
  
•  Rob will inform Kevin M  that the new MidPoint WG has been approved/chartered by CACTI  (DONE)
  
•  Rob will inform the   MidPoint WG leaders that the working  group has been approved. (DONE)
  
• BillK  will work to get the Midpoint WG charter into the Trust and Identity Doc Repository (in progress)
  

Secrets Management

• Golden Ticket attack and other incidents have brought keen awareness to  secrets management 
  
• Operational experience is important
  
• Testing is important
• Access to security modules can be difficult
  
• Hard to get device pass through to work
  
• There is a technology gap
  
• Sometimes people CHMOD the key files
  
  • Still readable by the user
    
• It was noted that InCommon signing metadata key is challenging to manage, Amazon web services lacks abstraction layer
  
  • FedOps spends much focus on managing keys
    
  • Security is hard, getting it right for the federation is hard
• Solving some issues leads to  a performance hit
  
• Even though we have reference architecture for AWS deployments, there are other deployments, not AWS
  
• There may be opportunities to identify key principles. 
• Suggestion: Consultation with the community to create best practices guide for different deployment models
  
• Comment: best to provide a few options, not to leave  it wide open, scope down the options
  
• Secrets management may relate  to baseline expectations for trust in federation
  
• Suggestion to engage CTAB and  CSTAAC in the conversations 
  
• Raise this topic to EDUCAUSE and REFEDs? Consult SIRTFI?
  
• Is this topic appropriate for a subgroup?
  
  • Concern about spreading ourselves too thin?
    
• Remind the community that eduroam and InCommon are security services and we must get this right
  
• Looking at a broad range of security issues is a boil the ocean problem, need to scope focus
  
• There is the issue of compensating controls. 
  • A notion of things that are good enough.
  • Building systems in a way that makes in harder for attackers. 
    
  • There are  things to do to reduce risk 
    
• AI - Rob and Les - form ideas to share with CACTI for continuing the secrets management discussion with others in the community
  

Parking Lot

1. "Whither multilateral SAML?"
   
2. Campus IAM roadmap for 3-5 years out (topic introduced on 2021-03-30 call by Bill Thompson) user-centric identity, etc.
   Do a WG on this? Involve EDUCAUSE or other IAM groups?
   (several upvotes from CACTI members for agendizing)
   

Next Meeting: Tuesday, April 13th, 2021