Internet2 is investigating a security incident involving a compromise to a confluence server that affected https://spaces.at.internet2.edu on April 10, 2019, which was successfully mitigated on April 12, 2019. If you did not receive an email from us, it’s unlikely that any of the content you submitted to the Internet2 Spaces Wiki needs to be re-entered. We apologize for any inconvenience this may have caused. Should you have any questions or require further assistance, please email collaboration-support@internet2.edu.
Page tree
Skip to end of metadata
Go to start of metadata

Trust and Identity Program Advisory Group Meeting - October 16, 2017

(Face-to-Face at 2017 Technology Exchange)


Attending: Ted Hanss, Ron Kraemer, John O’Keefe, Chris Phillips, Sean Reynolds, Klara Jelinkova

With: Mike Zawacki, Steve Zoppi, Ann West, Tom Barton, Kevin Morooney (remote)

Action Items

(AI) Ann will drive the development of a position paper for presentation to the community.

(AI) Kevin will pursue a PAG meeting at EDUCAUSE (October 31)

Journey to the Center of Trust and Identity

Kevin shared a model that identifies the requirements identified during the deep dives from summer 2016 and updated/refined from conversations the past several months. The model:

  1. identifies all of the trust and identity activities the requirements indicate would be necessary

  2. matches the activities to existing resources

  3. identifies the gaps


The model identified 122 activities and collapsed those under 14 T/I disciplines (listed below):

  1. Application Programming Interfaces - Campus

  2. Cloud Services

  3. Collaboration Management Services

  4. Community Training and TIER Program

  5. Component and Operations Security and Audit

  6. Component Packaging and Deployment

  7. Entity Registry (Person and Object Registry)

  8. Group Management and Group Administration

  9. Identity and Service Providers

  10. InCommon Federation Operations and Management

  11. Messaging Middleware

  12. Scalable Consent and Privacy Services

  13. Schema

  14. Trust-Identity Services and Community Support


This process revealed more than 40 resource gaps, after taking into account current staff, community members, and contractors working in the T/I space. The model made the assumptions that contributions by the community will not decrease over time, and that the T/I portfolio will not increase dramatically in the foreseeable future.

The model predicts the need for 22-34 additional FTEs to fill the resource needs (in addition to today’s 27). The presentation further refined this number by allocating these FTE needs to the 14 disciplines, and whether the resources would come via community working groups or Internet2.

Needed from the PAG: validation (or invalidation) of the various elements of the model, as well as thoughts and strategies on addressing the identified gaps. Are there other resources the PAG needs to make these recommendations?

Some general comments from PAG members (mainly about TIER):

  • Aging labor pool (which is an industry-wide issue)

  • What are the resources needed to consume TIER services? (There is a summary of requirements, but not a full list of necessary resources)

  • Is there a need for a market analysis to uncover currently unknown needs/expectations of customers?

  • Is there a growth strategy (note: that was out of scope for this analysis)

  • Is the goal to grow adoption or create a small, specialized community?

  • How can we lighten the load on the consumers of the software?

  • CANARIE has tried to mask the complexity of IdM with its implementation approach - simplifying installation and configuration. Another important point is a way to deliver patches and security fixes.

  • How does the Shibboleth Consortium and the need to sustain Shib figure into this? (For purposes of the model, Shib was treated as an opaque service provider, but needs/costs/gaps were included in the model)

  •  The model includes continued significant reliance on community expertise and contributions

  • Need to consider the differences in management skillsets of handling contractor vs. handling employee vs handling volunteer labor. Should bake the need for that into model or break out separately.

  • There was discussion about pricing and sustaining the software. This will require input and determination from campuses (vs. being dictated by TIER)


Remarks from Howard Pfeffer

Internet2 CEO Howard Pfeffer joined the meeting. He commented that trust and identity is key to Internet’s mission. He is looking for prioritization of critical tasks and scoping ongoing and future efforts. We need to move to a model of real certification process for things like TIER, which would consider functionality, security, and interoperability. Also consider timeframes when looking at priorities. Addressing the adoption question, driving greater use and consumption. Look at pain points, blockers to adoption. We need to consider commercial world, create focused effort to interoperate, deal with the problem of vendor lock-in.

Some discussion from the PAG:

  • The network piece of Internet2 has a different market/client than T&I. Complexity added by questions of Internet2 membership, InCommon participation and other factors. This feels like a branding question as much as organizational question. We’d be looking for clarity from I2 leadership. It would be good to have a “script” or unified messaging to discuss that in community. 

  • Regional Network questions are different from universities. Having T&I be part of the value proposition would be helpful. State and regional networks could be good for driving adoption, but they bring their own complexities. 


Support for Research

Chris Phillips, chair of the new CACTI architectural group, discussed the goals and make-up of that group, which has an international blend and a good cross-section of campus and other participation. The focus is on enabling research and removing complexity from access to resources.

There is some overlap with FIM4R (Federated Identity Management for Research). That organization, sponsored by CERN and others, has a budget of 3 million Euros and could provide some insight on raising funds and grant money. Part of a recent FIM4R meeting was a discussion of what is not working (from the research perspective) in federated identity management. One of the links in the wiki is the raw FIM4R meeting notes; the headings are worth reviewing to see what sorts of disciplines are involved.

There is concern about the growing number of community groups without a corresponding increase in staff support. How would addressing the needs identified by the FIM4R organization impact the scope of InCommon and the needs already identified earlier in the meeting by Kevin’s presentation. One consideration may be to not just look at items/services to add, but things we should stop doing or supporting. Tom Barton is involved with co-editing requirements document for FIM4R that takes into consideration all of the resources needed to do work - software, development, etc. It will also look at things like SIRTIFI, needs of int’l research efforts like CERN, etc.

Next Steps

Klara expressed the need to decide when to stop taking inputs and begin working on outputs. How do we prioritize needs and guard against scope creep? Consider time bounding - starting with what is possible in the next 12 months, for example. We need to demonstrate the ability to deliver. The PAG should look at what needs to be done in the next 3 months, the next 6 months, and the next 12 months. We need to finish the work plan, clarify the role of InCommon. (AI) Ann will drive the development of a position paper for presentation to the community.

Some of the issues and concerns to consider include:

  • Are we directionally correct with TIER to meet future needs?

  • It is difficult to drive adoption in higher ed. Typically it’s not how great the product is, it’s campus need.

  • Is their community confidence that we can deliver the promises of TIER? Confidence seems strongest with TIER investors, then in diminishing degrees in Internet2, then associated communities. 

  • What are the marketing needs/plans?

  • In terms of TIER, are some organizations choosing *not* to adopt? What are the reasons?

  • People do what’s easiest. “Just make it work.” Vendor lock-in is a significant factor. 

  • Sustainability, branding the federation services, funding needs, any adjustments to the participation model, a focus on making federation easier (and adoption of SIRTFI and R&S).

  • What are the top 5-7 questions that will determine our direction? Need to define those, then answer them. 

  • Kevin: There is an urgency to determine direction and begin delivering. I think that in a few weeks I could come back to the PAG and define the “top 5 things,” then work on how to address those. Also need to address the sustainability question. 


The PAG may next meet October 31 during the EDUCAUSE annual conference, if enough members are attending that event.                   

Parking lot:

  • Question of direction - push for large adoption, or small community of specialists
  • Succession of talent, dealing with aging labor pool
  • Need for security
  • Position of Internet2 efforts toward Shib Consortium
  • No labels