TAC Meeting 2015-10-29
Thursday, October 29, 2015
1:00pm ET | 12:00pm CT | 11:00am MT | 10:00am PT
Attending: Steve Carmody, Keith Hazelton, Ian Young, Scott Cantor, Tom Barton, Jim Basney, David Walker
With: Dean Woodbeck, Nate Klingenstein, Nick Roy, Tom Scavo, IJ Kim
Minutes from Oct 15 were accepted
Security Contacts in Metadata
Jim Basney recapped his Security Contacts presentation at the WISE workshop (regarding security contacts in metadata). The workshop included NREN and cyberinfrastructure people from Europe. The general response was that they need the security contact information and believe is it worthwhile to have this in metadata. There was also discussion about the need for periodic revalidation, given that about 10% of the information goes stale in any given year. One option would be to require revalidation once a year or have the federation operator send an email to each address to make sure it is still active.
There was also support for allowing people to register a URL for providing additional contact and security information and moving forward on this with REFEDS.
FYI, there are 99 out of 577 organizations that have security contacts in InCommon metadata (about 17%).
Update on the OTTO Working Group
Keith Hazelton presented an update on the OTTO working group in Kantara. The basic idea is to extend the notion of federation and metadata to the OAuth world (e.g. UMA, OIDC). They would like to learn from the lessons of the SAML community, particularly regarding federation metadata. The group has some concerns about the use of the metadat query protocol, but Scott mentioned that the protocol was designed to be extended to query mechanisms. Keith will discuss this with Ian. There are still a number of tasks ahead related to scaling, the use of JSON, and other technical issues and decisions.
TIER Working Groups
- the packaging group is searching for a call time - about 30 people interested
- the data structures and APIs group has its first meeting November 4. The charter is being revised and REFEDS was informed; if some REFEDS members join, an EU-friendly second meeting time will be considered
- TIER working groups can be found via this listing: https://spaces.at.internet2.edu/display/TWGH/TIER+Working+Groups+Home
- Shibboleth 3.2.0 looks like it will include front-channel SLO
- Tom Scavo reported that the federation manager supports logout endpoints. There was a discussion about creating documentation
- Steering will vote on Participation Agreement changes on Monday, Nov. 2. Official notification will go to participants on Nov. 12, then there is a 90-day period before the changes take effect (Feb. 10, 2016).
- Key technical dates:
- Nov 20- new FM user interfaces allowing for opt-in/opt-out
- Jan 11 - ops begins eduGAIN migration process
- Feb 11 - eduGAIN fully operational
There is consideration being given to Introduce a new production aggregate, idps-registered-by-incommon.xml. The simpleSAMP.php SP (which is used by eduroam-US) cannot filter metadata like can. The new aggregate would allow an SP to to restrict activities to just InCommon IdPs. There is a question about whether the federation operator should do this, or give SPs a tool to do this themselves. We also want to be sure to accommodate other organizations that add entity tags (like UC Trust).
IdP of Last Resort
There was discussion about a method of migration, should individuals start with one IdPoLR and want/need to change to another. This and other challenges, plus a plan for dealing with those, is here: https://spaces.at.internet2.edu/pages/viewpage.action?pageId=92472003
Next Meeting - November 12, 2015 - 2 pm ET