CTAB Call Tuesday August 23, 2022
Attending
- David Bantz, University of Alaska (chair)
- Jon Miner, University of Wisc - Madison (co-chair)
- Pål Axelsson, SUNET
- Sarah Borland, University of Nebraska
- Ercan Elibol, Florida Polytechnic University
- Richard Frovarp, North Dakota State
- Mike Grady, Liaison from CACTI to CTAB
- Eric Goodman, UCOP - InCommon TAC Representative to CTAB
- Meshna Koren, Elsevier
- Andy Morgan, Oregon State University
- Jule Ziegler, Leibniz Supercomputing Centre
- Tom Barton, Internet2, ex-officio
- Kevin Morooney, Internet2
- Ann West, Internet2
- Albert Wu, Internet2
Regrets
- Dave Robinson, Grinnell College in Iowa, InCommon Steering Rep, ex-officio
- Rick Wagner, UCSD,
- Chris Whalen, Research Data and Communication Technologies
- Robert Zybeck, Portland Community College
- Johnny Lasker, Internet2
- Emily Eisbruch, Internet2
DISCUSSION
Theme: Thinking about what’s next for “federation”...
- Intellectual Property reminder
- Agenda Bash
Working Group Updates
- CACTI
- Discussion about potential implications of post quantum crypto.
- Questions about how baseline expectations could be used to push community forward quickly if existing crypto is broken.
- InCommon TAC
- Discussion of IAM pain points at campuses.
- Intent was to drive/uncover/highlight items where InCommon TAC (or maybe other InCommon groups) should focus effort
- Intent was to drive/uncover/highlight items where InCommon TAC (or maybe other InCommon groups) should focus effort
- Discussion of IAM pain points at campuses.
- CACTI
- REFEDs MFA Working Subgroup
- Finalizing draft REFEDS MFA Profile proposal
- Proposal for profile will go to consultation in a few weeks.
- David: CTAB may have a role in seeing that the spec , once adopted, gets deployed within InCommon
- Looking ahead in the agenda, discussion of whether “passkeys” count as MFA was an element of the discussion.
- REFEDs MFA Working Subgroup
- Entity Categories Working Group (R&S 2.0)
- No meeting in the last few weeks, next meeting is being scheduled
- No meeting in the last few weeks, next meeting is being scheduled
- REFEDS Assurance Framework WG 2.0 Draft
- Made progress on further refining identity proofing criteria in the unsupervised remote scenario.
- Made progress on further refining identity proofing criteria in the unsupervised remote scenario.
- Entity Categories Working Group (R&S 2.0)
Baseline Expectations 2 Update
- Baseline Expectations for Trust in Federation wiki shows status
- InCommon Operations recently received updated scores from scanning, which was helpful
- CTAB members should reach out to orgs that they know on the list on non compliant orgs
- Put your name in the spreadsheet to indicate that you will be reaching out
- Personal contact is often effective
- Feel free to contact Albert to get more context on any org
Scaling Federation
- What comes next for mutual trust and assurance, after BEv2?
- Probably not BEv3
- We want to move away from the model of requirements every entity MUST meet to be in federation
- We need to make it easy enough for institutions with modest staff and resources to participate
- Federation versus multilateral federation is a valuable question
- how do we deal with services that campuses need to integrate with, but are not deployed for widespread federation use (eg campus-specific SP, etc)
- multilateral federation may not be the answer in all cases
- one-off integrations between an IDP and an SP have been set up in many cases
- services like Box, Zoom, and others require proxy authentication
- enterprise apps often use bilateral approach
- It's technically simple to do a bilateral exchange, but it's a short term solution, not as scalable
- in the end, bilateral setup requires a lot of human support
- strength of the federationL: don't need to manage certificates
- Bilateral integration within the federation is not so bad, it can be a strength
- Should we make it easier to do bilateral setup within the federation?
- Pai noted that with SUNET, there is much bilateral activity and it works well
- Should we have different expectations for different types of federation participants (as we do for SPs and IdPs)?
- Things were more homogenous when we designed InCommon federation, now there are some complex proxying situations
- Could use entity categories
- use subsets of requirements to provide value
- Start thinking differently about service providers
- SIRTFI potentially goes too far for some categories of SPs
- SPs may have different needs, configurations, architecture: a tool SP (e.g. Zoom or Box) versus content producer SP (e.g. Elsevier)
- different business perspective
- collaboration with software vendors can be helpful
- This discussion can be a gateway to talking about authorization and attribute bundles
Future Items
- Do we want a presentation to CTAB on PassKeys?
- Might be helpful if one of the CTAB members gave an overview
- Will be on a future CTAB agenda
- Passkeys - how does this affect us?
- Us = federation
- Us = campus IAM operation
- What is passkey?
Next CTAB Call: Tuesday, Sept 6, 2022