Notes and Action Items, AAC F2F of 25-April-2017
at 2017 Global Summit In DC
Attending:
- Brett Bieber, University of Nebraska (chair)
- Tom Barton, U. Chicago
- Chris Whalen, NIH
- Ted Hanss, University of Michigan
- Joanna Rojas, Duke (attended remotely)
- Ann West, Internet2
- Emily Eisbruch, Internet2
New Action Items
[AI] (Ted) review the draft documents around Baseline Expectation and any additional context setting to validate that it’s a complete case to bring to InCommon Steering.
Carry Over Action Items
[AI] (Tom) develop guiding principles for dispute resolution process
[AI] (Ann) continue to work on the Draft Processes to Implement and Maintain Baseline Expectations
[AI] (Brett) make additional updates to the Diagram, Community Dispute Resolution Process
.
[AI] (Tom and Brett) review documents to make them more generic so they could apply more broadly, such as to handle issues around tags such as R&S or SIRTFI.
DISCUSSION
Outcomes from the Sunday April 23 Kantara /Assurance Working meeting
Genesis of this meeting - Andrew Hughes from Kantara, Leif on Kantara Review board and SUNET and Tom Barton saw potential value to coordinate on assurance approach. Currently there is fragmented approach and not a lot of uptake.. Based on NIST 800 63, FICAM, Kantara Framework, InCommon Framework,
Independently maintained things = lots of effort
- Working together can reduce the effort and can lead to production of more comparable output
SWAMID has been successful
20 Members in SWAMID
LOA is mandated for their apps
They have a clear federation driver
Success with eduroam
Getting SPs on board is critical
Everyone at meeting is eager to work together
Focus on assurance profiles and requirements that map back to risks
If we agree on the risks we are mediating, that is a good first step
This work is only valuable if we help an org address a real risk
The FICAM work has been compliance oriented and not sufficiently responsive to risk
REFEDs assurance framework work (now in consultation) -
looks “assurancy” but it refers to an assessment of risk that was done by GEANT
Everything is to address real risk, it’s more pragmatic
Need a common catalog of capabilities. This creates comparability
Action items from the Sunday April 23 Kantara /Assurance Working meeting:
to do interviews with US-based projects and others to produce a database on risks
TomB will lead that interview effort
Get group back together (perhaps at TechEx) to make assumptions on levels of risk and
make a mapping table
Then work on atomic level, similar to the MFA profile perhaps
Business driven bundle of requirements
Don’t want to imply hierarchy since there are different risks
Some interested more in identity proofing, some interested more in phishing
See how external credential providing helps mitigate risk
There has been success with SIRTFI driven by research
CI Login
OSG
Gateway requirements
David Groep also has use cases
In some cases there’s a need for collaborators to vouch for their colleagues
Institutions in NIH can create identity accounts
there may be a scalability problem
Is ORCID a model for how this could work?
Issues around GDPR and international
Baseline Expectations
Key documents:
- Baseline Expectations document
- Diagram, Community Dispute Resolution Process
- Draft Processes to Implement and Maintain Baseline Expectations
- InCommon FOPP (with proposed edits for baseline expectations)
- Strawman Schedule for implementing Baseline Expectations
Important to finish this Baseline Expectations work.
There is still work to modify the Draft Processes to Implement and Maintain Baseline Expectations with one goal helping it to meet the needs of SIRTFI program
Tom has edited the implementation plan somewhat and still plans to work on the dispute resolution section
[AI] (Ted) look at the package of draft documents around Baseline Expectation and any additional context setting to validate that it’s a complete case to bring to InCommon Steering.
Goal: bring Baseline Expectations Implementation to InCommon Steering in June
Timeline for Baseline Expectations
Discuss the Baseline Expectation Implementation on the Wed June 7, 2017 Community Assurance Call
Take Baseline Expectations Implementation Plan to InCommon Steering end of June or end of July
Do a trust and identity consultation on the Baseline Expectations Implementation in Aug.
Community may have input on issues such as how long the wait period should be if there is an issue
Roll out at TechEx in San Francisco, Oct. 15-18, 2017
InCommon staff may not be ready to implement at TechEx, but we can announce
InCommon Assurance Program Review process planning
Bronze and Silver Program is “costing”
Bronze/Silver are on the books… only 5 schools benefiting with tags in metadata
There is the opportunity cost to have a program with low uptake
Could be seen as not the best use of time.
Increasing trust is important, but a monolithic profile is not working well for this community
When NIST 863 gets updated InCommon will be asked if we are going to comply
There is no LOA1, we’d have to start at Silver
This NIST 863 update (most likely this summer) could drive our InCommon Assurance program review
With the new 800-63-3/Digital Identity Guidelines, FICAM will ask us to update our certification profiles
Perhaps an option would be to transfer bronze and silver to Kantara assurance program
There are valuable things the AAC can do to increase the value of trustworthiness of InCommon Federation
We want to have maximum impact and we want to be less constrained on how we invest the AAC time
Other
There is an email list for InCommon technical concerns.
To subscribe, send email to sympa@incommon.org with the subject: subscribe technical-discuss.
There may be an InCommon chairs call with chair of Steering, work plan harmonization.
Updates to AAC charter
charter to be updated, perhaps once the program review is done
Next AAC call : Wed. May 10, 2017