Attending: Janemarie Duh (chair), Matthew Economou, Matthew Brookover, Heather Flanagan, Mike Grady, Keith Wessel (vice-chair), Eric Kool-Brown
With: Ian Young, Dean Woodbeck, Nick Roy, David Bantz, IJ Kim, Albert Wu, Jessica Coltrin, David Walker, Shannon Roddy, Steve Zoppi, Ann West
Regrets: Judith Bush, Mary McKee
(AI) TAC members - Review updated metadata practice statement by August 15.
(AI) TAC members - Review and comment on site admin enrollment flow by August 2.
(AI) Albert - Add the Seamless Access Coalition pilot to a future TAC agenda.
(AI) Janemarie - Start an email thread on how to proceed with the WebAuthn discussion.
(AI) Janemarie will take the Chrome SameSite policy issue to REFEDS.
Intellectual Property Reminder
All Internet2 activities are governed by the Internet2 Intellectual Property Framework.
Public Content Notice
TAC minutes are public documents. Please let the TAC and note taker know if you plan to discuss something of a sensitive nature.
T&I and Ops Updates
Congratulations to Jessica in her new role at InCommon/Internet2.
Updated Metadata Practice Statement - This is being updated to match the REFEDS template and to reflect the new MDQ service. Latest draft. Planning to finish this by the end of August. Feedback needed in 30 days.
Site Administrator Enrollment Flow - Proposing introducing Docusign for InCommon execs to use in appointing site admins. See the proposed change request flow. This helps solve a problem of reaching execs by phone. The flow document includes three flows. The first is the proposed change. The third is the current flow, which will still be in place, as well. Have been vetting this internally. Questions/comments to Albert in the next two weeks.
MDQ Service launch - Production candidate release is in place. There are a few pieces of logging that needs to be resolved, along with additional community feedback, and we will remove the “candidate” moniker. Need to get usage reports defined to track adoption.
Trust and Identity Hackathon to be held with the NORDUNET meeting in Copenhagen. Six or so different tables/ideas. Ideas include MDQ services, SATOSA, OpenID Connect federation. Considering doing something like this at TechEx. See https://wiki.refeds.org/x/AwauAg
InCommon has signed an MOU with the Coalition for Seamless Access (formerly known as RA21). GEANT will run the technology. The next step is to define the pilot. From the InCommon perspective, this approach was designed for a specific set of service providers. We’d like the pilot to address whether this will work for all service providers. Will be looking to the TAC to drive this pilot with the community. (AI) Albert - Add this to a future TAC agenda.
Working Groups and TAC/CTAB/CACTI collaboration Updates
OIDC Deployment - Nathan Dors (chair) has found that there isn’t enough experience to work on a deployment guide. Unless the charter is revised, his recommendation is to close the group and revisit this in a year. REFEDS version of OIDC working group is being closed and the discussion moved to OASIS (https://openid.net/wg/rande/).
REFEDS Federation 2.0 - Met F2F at TNC. Looking for participation. Have four stories they will explore, culminating with a presentation at TechEx.
IdP as a Service - Working group is finalizing a survey
CACTI - Need a TAC representative to CACTI. A consultation is in progress on eduroam advisory group charter. BE was well received at REFEDS at TNC. Also discussed samesite Chrome issue.
CTAB - Have distributed a request for input on the next round of Baseline Expectations. Looking for input by the end of the month. The community consensus process will be used to develop the next round of Baseline, based on a proposed set of requirements from CTAB. Now essentially at 100% compliance with BE. Removed 9 entities - all were inactive. Only one IdP does not meet BE, and that one is a ServiceNow test IdP that is not active.
There was a discussion in June with Brett Bieber and Jon Miner from CTAB re: displaying information about entities and organizations that is readily available. Nick Roy and Steve Zoppi have discussed this with the development team, but nothing in detail. This group will continue to meet and discuss: 1) What information will be included in the near term, and 2) how will this be displayed so it is useful but not overwhelming, and 3) long-term plan.
TAC membership for 2020
Recruiting timing - We’ve used TechEx as a discussion location, but that will not work this year given the lateness of the meeting. Jessica is creating a standard process for all InCommon advisory groups, based largely on what TAC has already done. The TAC process is on the wiki.
Leif presented on this topic at TNC. Google and others are planning to go ahead with WebAuth and login flows using a password will look strange to people. Leif advises not talking about MFA but talking about strong authentication. This has implications for the REFEDS profiles.
How should we proceed with this discussion? Janemarie discussed this with Chris Phillips, chair of CACTI. (AI) Janemarie will post in the TAC list to discuss how to proceed with the topic. The REFEDS working plan for next year will be developed soon. Proposing this topic might be good since this is a worldwide federation problem.
Chrome: SameSite policy issue
Janemarie compiled a short primer on the issue (that has been a thread on REFEDS). Chrome is moving towards a setting that tries to prevent promisuous cookie sharing across sites. In SAML, this affects RelayState in AuthN requests. There has been inconsistent experience - some have seen things break, some have tried and have been unable to break things. This is an interfederation problem. (AI) Janemarie will take this to REFEDS to suggest they create a wiki page to track services and results of testing.