Notes and Action Items, AAC Call of 1-March-2017
Attending: Brett Bieber (chair), Chris Whalen, Ted Hanss, Tom Barton, Joanna Rojas, Ann West, Emily Eisbruch
Action Items
[AI] (Brett) develop a flow diagram to visualize the processes in the Draft Processes to Implement and Maintain Baseline Expectations
[AI] (Ann) continue to work on the marked-up FOPP for Baseline Expectations, including these changes:
May create new section 7.4 for some of this information
Section 8 is on dispute resolution and there are some changes there.
Proposed new section 9.3.1 for federation operators
[AI] (Tom and Brett) take Draft Strawman Baseline Expectations Implementation Plan and Draft Processes to Implement and Maintain Baseline Expectations to next level over coming weeks.
Discussion
Draft Stawman Baseline Expectations Implementation Plan -(restricted access)
describes the high-level way that baseline expectations will be implemented.
Draft Processes to Implement and Maintain Baseline Expectations (restricted access)
includes 1) Federation Operational Practices, 2) community consensus process for acceptable operations and 3) community dispute resolution process
The discussion started with an overview of the Baseline Expectations , which are intended to replace the InCommon Participant Operational Practices (POP). The approach is that it will be assumed that every InCommon participant will comply with the Baseline Expectations. There will be an InCommon dispute resolution process to handle issues that arise.
Operational details for Baseline Expectations will need to be worked out. In addition, the community consensus process for acceptable operations will need to be defined. There will be a process to raise the bar for baseline expectations over time if needed. A concern was raised that a consensus process for raising the bar for acceptable operations might lead to the bar never being raised. This could happen if, for example, larger schools would agree to raising the bar but smaller schools would lack the resources to meet a higher bar.
It will be necessary to keep refining the Community Dispute Resolution Process. The current draft states that the AAC engages with the participants and mediates a resolution where possible. Where that fails, the AAC moves the issue to InCommon Steering with the need to remove participant from InCommon federation (as a last resort). It is possible, in some cases, that a complaint about an SP may result in an incident response.
It was agreed that we don’t want to be too limiting as we define the processes. We need enough of a process but perhaps not too much; it is important to make it clear In the baseline expectations implementation plan, that there's the expectation that things will change.
Baseline should be low enough so everyone can meet it, but it still provides value.
Baseline expectations Implementation education process will take time and require substantial effort. There will be many questions from the community. We may want to keep records as we discuss the issues with the community and then maintain FAQs.
[AI] (Brett) work on a flow diagram to visualize the processes in the Draft Processes to Implement and Maintain Baseline Expectations
Tom suggests possible tweak to “Draft Processes to Implement and Maintain Baseline Expectations” doc: role of AAC might be to get participants in reviews
Proposed changes to the FOPP and PA for baseline expectations
On March 1, 2017 Ann sent to the AAC initial proposed changes to the FOPP (top level document that guides what InCommon does)
Ann suggested a couple of changes in the marked-up version.
7.3 required info components, used to be POP (Participant Operational Practices). Now refers to interdependency of parties. Then talks about separate requirements for each of the primary stakeholders
Mentions at minimum, participants must adhere to these requirements. Over time the requirements may change. Expectation is to support requirements as they change.
[AI ] Ann will continue to work on the marked up FOPP for Baseline Expectations, including these changes:
May create new section 7.4 for some of this information
Section 8 is on dispute resolution and there are some changes there.
Proposed new section 9.3.1 for federation operators
Thanks to Ann for her suggestions on how to edit the FOPP for baseline expectations.
Next, after more work on the FOPP, Ann will work on suggested updates to the PA
SP 800-63 Comment Period
Consultation on 800-63 / Digital Identity Guidelines
The March 1 Community Assurance Call on the topic of NIST SP 800-63 went well. Appreciation to speaker Ken Klingenstein and to Brett for hosting.
REFEDS MFA profile consultation open now through March 27. Identifier to be assigned is “https://refeds.org/profile/mfa”.
Plan for Community Assurance call of Wed. April 5, 2017 at noon ET (to be discussed on next AAC call)
Global Summit Face-to-Face April 23-26, AAC F2F Tues. April 25, 2017, 2:30 pm - 4:00 pm
FYI: AAC notes are now publicly available here: https://spaces.at.internet2.edu/display/InCCollaborate/InCommon+Assurance+Advisory+Committee+Minutes
Next AAC call: Wed. March 15, 2017 at 4pm ET