CACTI Call Tuesday, March 30, 2021
Attending
Members
- Rob Carter, Duke, (Chair)
- Les LaCroix, Carleton College (Vice-Chair)
- Margaret Cullen, Painless Security
- Joshua Drake, Indiana University's Center for Applied Cybersecurity Research
- Matthew Economou, InCommon TAC Representative to CACTI
- Kevin Hickey, Detroit Mercy
- Marina Krenz, REN-ISAC
- Barry Johnson, Clemson
- Chris Phillips, CANARIE
- Bill Thompson, Lafayette College
Internet2
- Kevin Morooney
- Ann West
- Nicole Roy
- Emily Eisbruch
Regrets
- Marina Adomeit, SUNET
- Stoney Gan, University of South Florida
- Michael Grady, Unicon
- Jeremy Perkins, Instructure
- John Bradley, Independent
- Steve Zoppi, Internet2
Action items from March 30, 2021
- AI - Rob and Les - slot the user centric identity topic into a future CACTI agenda
- AI - Rob and Les - form ideas to share with CACTI for continuing the secrets management discussion with others in the community
Action items from March 16, 2021
- AI - Rob reach out to the CACTI email list to start to gather contacts and use cases for upcoming discussions around OIDC.
- AI - Rob reach out to leaders of MidPoint/Banner Integration working group to talk with CACTI re: Banner, (AnnW did intro with MattB) . (Note Banner WG is folding into the MidPoint WG)
Discussion
Administrivia
- Internet2 Intellectual Property Agreement reminder
- CACTI Charter pointer
Announcement
- FYI. Internet2/InCommon posted the Community Success Manager position.
- This staff person, when hired, will be helping with the community-source working groups/support
- as well as facilitating CAMP/ACAMP, our key in-person engagement event.
Agenda bash
- It will be helpful to send “agenda bash” items to the chairs prior to the CACTI call when possible, or discuss them at the end of the call
- This will help us complete the planned CACTI meetings agenda
- This will help us complete the planned CACTI meetings agenda
User centric identity (Bill Thompson proposed this prior to the call):
- Lafayette College has been using Trusted Access Platform components for several years,
- at a plateau now
- shift towards more user centric identity
- looking at what capabilities are needed to support the college mission
- keeping in mind diversity, equity and inclusion,
- used to be we would assign L number and user name, it was preordained by algorithms or rules,
- now working on a document to use for Lafayette College, might have a broader community discussion,
- Q: Could user centric involve self-sovereign?
- A: Maybe, goal is that users need to be able to drive their digital identity to a greater degree
- What is a good place for this conversation?
- It’s of interest to CACTI
- AI CACTI chairs will slot the user centric identity topic into a future CACTI agenda
MidPoint Working Group
- Working group charter
- Working group Wiki
- First call of the new working group was earlier today and it went well.
- 22 people attended
- The working group will meet every 2 weeks.
- Demo of CSP workbench by Keith Hazelton is planned at an upcoming MidPoint WG call
- WG charter is more or less final, a few tweaks made today
- Humming consent
- Agreed that CACTI has chartered the MidPoint Working Group
- Rob will inform Kevin M that the new MidPoint WG has been approved/chartered by CACTI (DONE)
- Rob will inform the MidPoint WG leaders that the working group has been approved. (DONE)
- BillK will work to get the Midpoint WG charter into the Trust and Identity Doc Repository (in progress)
Secrets Management
- Golden Ticket attack and other incidents have brought keen awareness to secrets management
- Operational experience is important
- Testing is important
- Access to security modules can be difficult
- Hard to get device pass through to work
- There is a technology gap
- Sometimes people CHMOD the key files
- Still readable by the user
- Still readable by the user
- It was noted that InCommon signing metadata key is challenging to manage, Amazon web services lacks abstraction layer
- FedOps spends much focus on managing keys
- Security is hard, getting it right for the federation is hard
- FedOps spends much focus on managing keys
- Solving some issues leads to a performance hit
- Even though we have reference architecture for AWS deployments, there are other deployments, not AWS
- There may be opportunities to identify key principles.
- Suggestion: Consultation with the community to create best practices guide for different deployment models
- Comment: best to provide a few options, not to leave it wide open, scope down the options
- Secrets management may relate to baseline expectations for trust in federation
- Suggestion to engage CTAB and CSTAAC in the conversations
- Raise this topic to EDUCAUSE and REFEDs? Consult SIRTFI?
- Is this topic appropriate for a subgroup?
- Concern about spreading ourselves too thin?
- Concern about spreading ourselves too thin?
- Remind the community that eduroam and InCommon are security services and we must get this right
- Looking at a broad range of security issues is a boil the ocean problem, need to scope focus
- There is the issue of compensating controls.
- A notion of things that are good enough.
- Building systems in a way that makes in harder for attackers.
- There are things to do to reduce risk
- AI - Rob and Les - form ideas to share with CACTI for continuing the secrets management discussion with others in the community
Parking Lot
- "Whither multilateral SAML?"
- Campus IAM roadmap for 3-5 years out (topic introduced on 2021-03-30 call by Bill Thompson) user-centric identity, etc.
Do a WG on this? Involve EDUCAUSE or other IAM groups?
(several upvotes from CACTI members for agendizing)
Next Meeting: Tuesday, April 13th, 2021