17 October 2012

Building Identity Trust Federations Conference Call

October 17, 2012

1) In Attendance

• Suresh Balakrishnan (University System of Maryland)
• Oleg Chaikovsky (Aegis)
• Mike Grady (UIUC)
• Michael Hodges (University of Hawaii)
• Ken Klingenstein (Internet2)
• George Laskaris (NJEDge.Net)
• Greg Monaco (Kansas State University)
• John Moore (MCNC)
• Benn Oshrin (Internet2)
• Mark Rank (UW Milwaukee)
• Mark Scheible (MCNC)
• Craig Stephenson (WiscNet)
• Jack Suess (UMBC)
• Bill Thompson (Unicon/Jasig)
• Valerie Vogel (EDUCAUSE)

2) Scalable Privacy: An NSTIC Grant for the Identity Ecosystem (Ken Klingenstein)

• Ken and Jack's NSTIC Presentation (PPT)
• Set of pilot programs (solicited in Feb/Mar and concluded recently – about 180 applications). Solicitation is still available on the website: http://nist.gov/nstic.
• 2 submitted by Internet2 were accepted – multi-factor authentication deployment at several institutions and scalable privacy (building an infrastructure for the identity ecosystem). Asked to combine the two proposals.
• In the end, 5 proposals were accepted. 1 was awarded to Internet2. A second awarded to Criterion Systems (Beltway Defense contractor) around monetization of attributes, but involves Internet2.
• NIST is trying to keep a distinction between the two efforts (pilots and governance).
• Two year grant for $3.4M (second year pending). Emphasis on major infrastructure elements for privacy.
• Key deliverables
  • Promotion of two factor authentication
  • Schema for common use
  • Privacy managers
  • Implementing anonymous credentials at scale
  • Metadata strategies to support the above
  • Significant pilots and testbeds
  • Several policy thickets (e.g., adoption of attributes and bundles, anonymous credentials, privacy, and application privacy assessment "marketplace")
• Promotion of multi-factor authentication through wide-scale deployments of different technologies at 3 institutions (MIT, Utah, Texas). Facilitation will also support a cohort of additional schools with their deployments, leveraging the lead school activities.
• "Big Picture" – Working with a graphic artist to tie these pieces together and should have this ready to share later this month. What flows within the big picture – attributes (may be externally asserted, self-asserted, third party asserted) and management of attributes (trust, vetted application info, user consent flows).
  • IdP's
  • SP's
  • Attribute authorities
  • Third parties, portals, etc.
  • Application auditors
  • Federation operators
  • The user
• The User and Contexts
  • A person operates in one of several contexts when online: as a citizen, as a worker-employee, as a consumer, as a physical entity, and possibly others.
  • In managing their privacy, what parts of the user experience should be consistent between contexts and what may be different?
• Primarily "citizen" oriented, but with significant value to many other contexts, including consumer and business.

3) NSTIC Strategy; Current and Future Efforts (Jack Suess)

• Ken and Jack's NSTIC Presentation (PPT)
• NSTIC Strategy Document – General principles
  • Privacy enhancing and voluntary
  • Secure and resilient
  • Solutions must be interoperable
  • Cost-effective and easy to use
• August plenary – about 900 participants (some virtually) representing 320 organizations (approx. 1/3 made up of Higher Ed institutions).
• Since August – bylaws must be approved by Nov. 13. Next plenary is Oct. 29-30. Governance TF has met on average 8 hours per week.
• Discussion webinar on Oct. 22 (2-4 pm) that highlights the upcoming bylaws.
• Future efforts – Oct. 29 to Jan. 1, 2013
  • Emphasis on creating and approving workgroup charters
  • Management committee wants to establish liaisons and communication channels between related workgroups.
  • Communication and outreach efforts to the broader community.
  • Next election for management council will be February 2013.
  • The group does not want to create standards unless that's absolutely necessary.