CACTI call of Feb. 19, 2019

Attending

  Members

  • Chris Phillips, CANARIE (chair)  
  • Tom Barton, U. Chicago  
  • Warren Anderson, University of Wisconsin-Milwaukee /LIGO
  • Rob Carter, Duke   
  • Karen Herrington, Virginia Tech      
  • Les LaCroix, Carleton College  
  • Nathan Dors, U Washington 

 Internet2

  • Kevin Morooney  
  • Ann West   
  • Steve Zoppi    
  • Nick Roy  
  • Emily Eisbruch   

Regrets

  • Christos Kanellopoulos, GEANT  
  • Todd Higgins, Franklin & Marshall College
  • Tom Jordan, U Wisc - Madison   
  • Jill Gemmill, Clemson  
  • Marina Adomeit, GEANT

Action Items from this call

  • [AI] Rob will pass along to CACTI more on the Duke WebAuthn project

Discussion

Debrief on TIIME2019 - https://tiimeworkshop.eu/agenda/  (Chris, Tom Barton, Albert Wu)

      • The TIIME workshop was a good snapshot of all things FIM4R as well as the focus areas in IDM that the EU community is focused on
      • FIM4R had a day long workshop (presentations are linked in here: https://indico.cern.ch/event/775478/
      • At  TIIME, much appreciation for the Internet2 response and gap assessment for FIM4R
      • all day tracks on  Software and technical items,Legal elements, and Self Sovereign identity
      • Two days of un-conference topics
      • Takeaways:  Gathered much intelligence on where other Federations stand on creating the desired trust ecosystem
    •   SATOSA proxy, lightweight proxy component, was discussed at TIIME
          • https://github.com/IdentityPython/SATOSA
          • SATOSA is in early days, built in python
          • can be delivered as a docker image
          • some using KeyCloak instead of Shib as an integration platform for multilateral, 
          • user interface  inside KeyCloak is helpful, 
          •  Heather Flanagan is involved, Matthew Economou involved , both are on InCommon TAC
          • Using  a proxy like SATOSA and KeyCloak may be a kind of half step
          • It was noted there is much talk about proxies, challenging to understand the architecture
          • Proxy story at TIIME was strong, for multilateral federation.
          • Q: How does SATOSA fit into ITAP?
            • A: SteveZ: ITAP consumes it, it works,  We are reflecting community need for that functionality. ITAP is containerizing SATOSA even though it’s not officially part of the “TIER stack. SATOSA is being discussed at Component Architecture group. InCommon.org website is getting updated.  SATOSA will likely be listed as an “endorsed” solution.
          • LIGO will adopt a proxy within a year or so
      • COmanage was discussed quite a lot at TIIME
          • SURFnet has been using the COmanage look and feel to apply it in their environment
          • There was an unconference discussion on SURFnet and COmanage
          • Chris Whalen, Benn Oshrin participated.
          • Chris Whalen noted that a COmanage users call could be beneficial
          • SteveZ: refactoring COmanage may be relevant

      • WebAuthn w3c standardhttps://www.w3.org/TR/webauthn/
        • browsers  can interact with credential store to provide per site keys, may mature within a few years
        • Face recognition, it’s simple sign on

        • Question is how will we as federations adopt this and what changes will it bring?

          Some say that unless IDPs start popping up?

        •  This will affect federations, since this approach  will be easier. 

        • This is an easy alternative to web single sign on, which is awkward on a phone.


        • Others say campuses should do WebAuthn, makes it easy to preserve federated  access infrastructure

          Duke is piloting a WebAuthN interface on their IDP now, looking at it as an ALTERNATIVE to  passwords and with an additional binding beyond the biometrics. Shilen working on this project.


        • Recovery issues… with WEBAUTHN, if you lose your phone, must have an account recovery  service. A campus IDP might provide the recovery service.

        • [AI] Rob will pass along to CACTI more on the Duke WebAuthn project


    • Access to Data Sets
      • TomB spoke w Laura Paglione at TIIME conference about researcher gaining access to data sets, versus current model were a researcher gets access to a particular data set and it does not scale well. 
      • ORCID is looking at extending their processes to manage a more scalable process where certain researchers are “Bonafide.”   
      • ORCID might be the distributor of the attribute. 
      • This connects to more sources of authority asserting attributes. We may want to help this happen .
      •  A new way of managing access, how will federated access play along?
      • Should we develop a way to handle the special callout with ORCID for the BONAFIDE researcher attribute?
      • Enterprise IAM people and research people need to work this out.
        • Warren: interesting scenario. Trust attributes more when they are close to source of authority. But challenges with each IDP handling this.
          TomB would support work on developing alternatives to the IDP doing all the work of handling the BONAFIDE researcher attribute.


  • REDHAT and openLDAP
    • ChrisP reported the main openLDAP code contributors have commented that they have heard REDHAT wants to drop openLDAP from distribution in the core of CentOS8, the next major revision of the REDHAT/CentOS open linux distribution.
    • The perception of this significant change is that it’s a move to limit access to more open software in favour of REDHAT support revenue for software solutions like KeyCloak that have a different model for support which can be seen here:


“The RH-SSO product derives from a specific version of the Keycloak community and is maintained, patched, and supported by Red Hat commercially for as long as the terms of your support contract. The Keycloak community project, on the other hand, is never patched. There are no point releases of the community project and each release may break backward compatibility. New features are developed, experimented with, and baked in community then brought down to be supported in product if they are popular enough in community. Think of Keycloak as bleeding edge with quick releases, unpatched, and limited community support, while RH-SSO is stable, supported for a long time, and patched as bugs and security vulnerabilities are found.“


    • This of managing access could pose  some challenges to organizations that want to benefit from free and open software with less than usual software means. However, when the above is mentioned specifically around the product it is quite emphatic that support is the only pathway for predictable and even safe usage of the software.

IDPRO https://idpro.org/news/6290550

  • certification of identity practitioners, some progress being made, but nascent stages , want guidance and best practices from community to build into body of knowledge.  
  • Could IDPro be a “home” for body of knowledge? 
  • Heather Flanagan will be working with IDPro for 6 months.  
  • Some suggestions around how to encourage more engagement. Time slicing is a challenge.
  •  Could have Ian Glaser talk with CACTI about IDPro at some point.
    There could be a concern, if IDPro charges for access to material

Eduroam and Internet of things (IOT) usage

  • - interesting discussion, Robin Wilton was a keynote speaker on privacy and Internet2 of things. 
  • There was  a recent call w Amazon about Echo being used on Eduroam, and requirement around use of Amazon certificates. 
  • Some gap in the IOT space around 80102x. Run a single SSID, how to accomplish a good IOT strategy. 
  • TomB: there is a place for segmentation\ compartmentalization of risks and networks. 
  • There can be different risk profiles.
  • Kevin  noted there is some request for “more eduroam.” Will likely come into more focus after Global Summit 2019.
  • ChrisP : At Canadian Federation, there have been requests for easier onboarding for eduroam


To be discussed at a future CACTI Call

  • Topic Backlog

    • 2019 T&I roadmap planning  - follow up on last call's discussion with Janemarie and KeithW?

    • Closing out the MACE-Dir transition work

      • Need a volunteer to:

        • For sunset planning doc Get list of authors as complete as possible - work with Keith Hazelton and David Bantz

        • Work with Keith Hazelton to resolve any remaining comments

        • Work with librarian to get the sunset planning doc published in the TI document repository

        • Follow up with REFEDS on the following items to ensure progress is being made, report back to CACTI:

        • New mailing list

        • REFEDs Schema editorial board governance https://wiki.refeds.org/display/STAN/Schema

        • Transfer of assets (see sunset planning doc for full list)

        • Namespaces / registries (URN/OID)

          • Chris' work on Les' URN recommendations - status check

          • Schema (edu*)

          • Other web content - MACE-Dir wiki, macedir.org


    •  Proposal to focus OIDC-Deployment working group on a deployment guide for the Shibboleth OIDC extension (Nathan )

 

Next CACTI Call: Tuesday, March 5, 2019