Notes and Action Items, AAC F2F of 25-April-2017

at 2017 Global Summit In DC



  • Brett Bieber, University of Nebraska (chair)
  • Tom Barton, U. Chicago
  • Chris Whalen, NIH
  • Ted Hanss, University of Michigan
  • Joanna Rojas, Duke (attended remotely)
  • Ann West, Internet2
  • Emily Eisbruch, Internet2


New Action Items

[AI] (Ted) review the draft documents around Baseline Expectation and any additional context setting to validate that it’s a complete case to bring to InCommon Steering.  

Carry Over Action Items

[AI] (Tom) develop guiding principles for dispute resolution process
[AI] (Ann) continue to work on the Draft Processes to Implement and Maintain Baseline Expectations
[AI] (Brett) make additional updates to the Diagram, Community Dispute Resolution Process
[AI] (Tom and Brett) review documents to make them more generic so they could apply more broadly, such as to handle issues around tags such as R&S or SIRTFI.  



Outcomes from the Sunday April 23 Kantara /Assurance Working meeting

    • Genesis of this meeting - Andrew Hughes from Kantara, Leif on Kantara Review board and SUNET and Tom Barton saw potential value to coordinate on assurance approach.  Currently there is fragmented approach and not a lot of uptake.. Based on NIST 800 63, FICAM, Kantara Framework, InCommon Framework,

    • Independently maintained things = lots of effort

    • Working together can reduce the effort and can lead to production of more comparable output
    • SWAMID has been successful

      • 20 Members in SWAMID

      • LOA is mandated for their apps

      • They have a clear federation driver

      • Success with eduroam

    • Getting SPs on board is critical

    • Everyone at meeting is eager to work together

    • Focus on assurance profiles and requirements that map back to risks

    • If we agree on the risks we are mediating, that is a good first step

    • This work is only valuable if we help an org address a real risk

    • The FICAM work has been compliance oriented and not sufficiently responsive to risk

    • REFEDs assurance framework work (now in consultation) -

      • looks “assurancy” but it refers to an assessment of risk that was done by GEANT

      • Everything is to address real risk, it’s more pragmatic

    • Need a common catalog of capabilities. This creates comparability

    • Action items from the Sunday April 23 Kantara /Assurance Working meeting:

      • to do interviews with US-based projects and others to produce a database on risks

      • TomB will lead that interview effort

      • Get group back together (perhaps at TechEx) to make assumptions on levels  of risk and

      • make a mapping table

      • Then work on atomic level, similar to the MFA profile perhaps

      • Business driven bundle of requirements

      • Don’t want to imply hierarchy since there are different risks

    • Some interested more in identity proofing, some interested more in phishing

    • See how external credential providing helps mitigate risk

    • There has been success with SIRTFI driven by research  

      • CI Login

      • OSG

      • Gateway requirements

      • David Groep also has use cases

    • In some cases there’s a need for collaborators to vouch for their colleagues

    • Institutions in NIH can create identity accounts

    • there may be a scalability problem

    • Is ORCID a model for how this could work?

    • Issues around GDPR and international



Baseline Expectations

    • Important to finish this Baseline Expectations work.

    • There is still work to modify the Draft Processes to Implement and Maintain Baseline Expectations with one goal helping it to meet the needs of SIRTFI program

    • Tom has edited the implementation plan somewhat and still plans to work on the dispute resolution section

    • [AI] (Ted) look at the package of draft documents around Baseline Expectation and any additional context setting to validate that it’s a complete case to bring to InCommon Steering.  

    • Goal: bring Baseline Expectations Implementation to InCommon Steering in June


Timeline for Baseline Expectations

  • Discuss the Baseline Expectation Implementation on the Wed June 7, 2017 Community Assurance Call

  • Take Baseline Expectations Implementation Plan to InCommon Steering end of June or end of July

  • Do a trust and identity consultation on the Baseline Expectations Implementation in Aug.

    • Community may have input on issues such as how long the wait period should be if there is an issue

  • Roll out at TechEx in San Francisco, Oct. 15-18, 2017

  • InCommon staff may not be ready to implement at TechEx, but we can announce

InCommon Assurance Program Review process planning

    • Bronze and Silver Program is “costing”

    • Bronze/Silver are on the books… only 5 schools benefiting with tags in metadata

    • There is the opportunity cost to have a program with low uptake

    • Could be seen as not the best use of time.

    • Increasing trust is important, but a monolithic profile is not working well for this community

    • When NIST 863 gets updated InCommon will be asked if we are going to comply

    • There is no LOA1, we’d have to start at Silver

    • This NIST 863 update (most likely this summer)  could drive our InCommon Assurance program review

    • With the new 800-63-3/Digital Identity Guidelines, FICAM will ask us to update our certification profiles

    • Perhaps an option would be to transfer bronze and silver to Kantara assurance program

    • There are valuable things the AAC can do to increase the value of trustworthiness of InCommon Federation

    • We want to have maximum impact and we want to be less constrained on how we invest the AAC time



  •  There is an email list for InCommon technical concerns.

    • To subscribe, send email to with the subject: subscribe technical-discuss.

  • There may be an InCommon chairs call with chair of Steering, work plan harmonization.

  • Updates to AAC charter

    • charter to be updated, perhaps once the program review is done

Next AAC call : Wed. May 10, 2017



  • No labels