Minutes: Assurance Implementers Call of 12-Dec-2012
Mary Dunker, Virginia Tech
Nick Roy, University of Iowa
Brett Bieber, Nebraska - Lincoln
Jim Green, Michigan State University
Mark Jones, UT Houston
Bill Weems, UT Houston
Susan Neitsch, Texas A&M
David Walker, Independent
Michael Gettes, Carnagie Melon University
Jeff Capehart, University of Florida
Michael Brogan, U. Washington
CW Belcher, UT Austin
Arlene Allen, UCSB
Emily Eisbruch, Internet2, scribe
Ann West, InCommon/Internet2
Review of Current Status Regarding FICAM Approval
Ann reviewed the InCommon Assurance history with FICAM
- The Trust Framework Provider Adoption Process started in 2009
- Fall 2011 – FICAM requested simplified Bronze
- Fall 2012 – InCommon submits version 1.2 to FICAM
- FICAM approval of version 1.2 is expected in January 2013
Highlights of Version 1.2:
- Added items about credential management for Bronze Certification.
- Added privacy requirements to the Assurance Addendum to the Participant legal agreement
- Major issue in the current draft is Alternative Means to provide some needed flexibility in meeting requirements
More about Alternative Means:
- The AAC is developing a formal mechanism to handle/review alternative means that get submitted. FICAM does not want to review all alternative means; they want to trust us with the review process.
- Once reviewed and accepted, alternative means would be published on the wiki and become normative and part of the spec. A future applicant could state in their audit summary that they are using approved alternative means.
- The spec is still draft and may be further revised as we continue our discussions with FICAM. Once they approve the spec (expected in January 2013), we will publish the spec for community review. Then we will announce an implementation extravaganza and discuss implementation programs.
Q: Past experience shows that people change and institutional knowledge gets lost. How can we build in more stability so we don't risk having to start over again?
A: As InCommon Assurance is now a formal program with established documented processes and record keeping, this reduces the loss of historical memory.
Directions Within FICAM
Q : What are some of the directions within FICAM?
A: FICAM has sent the trust framework providers a list of items and has requested input on prioritizing for 2013. For example, FICAM is looking at breaking up the spec into chunks (such as identity proofing) and enabling certification for a portion of the spec.
Q: Is it possible that FICAM will work with some of the large authentication /authorization vendors like Microsoft, to try to influence them to get strong authentication from people using their software? Has FICAM thought about export restrictions on cryptography versus their requirements?
Comment: the community needs to push the vendors to provide the features we need.
A: Internet2 is having discussions with Microsoft to work on a variety of issues, and Assurance is a part of the discussion.
Providing Community Guidance
It may be beneficial to hold a series of calls to work thru each section of the profile, so sites can discuss how to implement various aspects.
In addition, Mary and Emily are working on an Implementation Example to share the Virginia Tech experience.
Q: If a site submits now, under the 1.1 spec and then if 1.2 comes out right after that how soon does that site have before a re-audit is required?
A: A site has at least 6 months to comply with the new specs. InCommon will work with any site that is certified under 1.1 to transition to 1.2.
Next Assurance Call: Wed., January 9, 2013 at noon ET.