Agenda
- Follow up discussion on Seamless Access discussion on last call (Chris M.)
- Discussion of next steps with the Baseline Expectations Program v2 (David B. et al)
- Setting up the schedule for final close out and background for possible vote later in the year.
Attending: Dave Robinson, Laura Paglione, Brad Christ, Ann West, Marc Wallman, Jeremy Livingston, Rachana Ananthakrishnan, Kristi Holmes, Chris Misra
With: Rob Carter, Keith Wessel, David Bantz, Albert Wu, Kevin Morooney, Steve Zoppi, Elaine Alejo
Regrets: Christine Miki, Chris Phillips
Minutes:
InCommon Baseline Expectations V2 Final Close Out Plan.
David Bantz, chair of InCommon's Community Trust and Assurance Board (CTAB), presented the next steps for Baseline Expectations Program v2 of which Steering plays a very important role. The program enhances collaborations and makes the federation more valuable by raising the level of assurance and trust among participants. The Program relies on Steering to provide the stick to CTAB's carrot in ensuring the Federation has 100% adherence to the community standards.
Baseline Expectations (BE) v1 required participants to provide complete metadata; BE v2 focuses on security including compliance with the SIRTFI trust framework and encryption requirements. Organizations running identity providers are also required to provide an error URL to enable service providers to help users navigate back to their home help desk for support in case of a transaction issue.
CTAB began working with the community to define Baseline Expectations v2 in 2019, Steering approved the result the end of 2020 and it became mandatory in July 2021. As of August 1, 97% entities meet the requirements. However, David reported that CTAB has grouped the remaining organizations into high, medium and low risk to help prioritize the final outreach push.
- 23 priority organizations are considered high risk to the Federation community,
- 48 organizations with bilateral trust or test entities are considered medium risk,
- 187 organizations with entities with B or missing TLS encryption scores are much lower risk.
CTAB will be asking Steering to participate in the final outreach push. . Ann suggested that CTAB set up a way to leverage Steering to help reach out to entities.
CTAB will bring a list to Steering of their recommendation for removing non-compliant entities on Nov 15.
Steering had no objections to the CTAB plan.
Seamless Access Follow Up: What is the next action expected from Steering is there action or discussion that is needed?
Following up on July's discussion about Seamless Access, Steering discussed several related topics.
Comments on the impact of third-party cookies on Seamless Access? Albert explained that Seamless Access has an advanced mode that requires third-party storage and a standard mode that doesn't require access to third-party cookies. (A user interacts directly from Seamless Access website.) InCommon would be using the standard mode. In chat, Laura included a statement from the Seamless Access website: “For most browsers, if you completely block third party access (sometimes called third party cookies even though cookies are not involved) and/or browse in “private” or “incognito” mode, Seamless Access will not be able to facilitate your login experience.” More details from the Seamless Access site: https://seamlessaccess.org/about/trust/
Even though the InCommon Technical Advisory Committee recommended that Internet2 replace the Federation's ailing Discovery Service with Seamless Access, Ann offered that the technology and resulting operation model is not yet in production: InCommon is working with the stakeholders to design governance and technology approaches. By end of first quarter 2023, Steering will be provided with a status of the work and further implications on the Federation.
Kristi requested that we collect the feedback and catalog use cases to help guide the conversations. She would like to hear perspectives from others and offered to start collecting and write-up use cases. It was agreed this was a good idea.
Discussion on the difference between EZproxy and Seamless Access. EZproxy can enable SAML-federated or IP access. Seamless Access sits on top of the SAML federation and provides an easier user experience. EZproxy could be considered an "identity provider" that provides multiple authentication mechanisms along with specific library functionality: https://www.oclc.org/en/ezproxy/hosting-options.html
Action items:
- Brad to reach out to those at Georgetown and Washington State.
- Dave to reach out again to those he already did
- Kristi writing up use cases for Seamless Access
- Ann to come back to Steering with a status/recommendation for Seamless Access by end of Q1
- David/CTAB to help coordinate Steering reaching out to remaining organizations that don't support BE v2.
Brad closed out with next months meeting we will discuss business operations- executive verification and marketing
Meeting adjourned