Minutes - May 7, 2020
Attending: Mark Rank, Matthew Brookover, Mizuki Karasawa, Keith Wessel, Eric Kool-Brown, Matthew Economou, Judith Bush
With: IJ Kim, David Bantz, Dave Shafer, Les LaCroix, Dean Woodbeck, Steve Zoppi, Ann West, Shannon Roddy, Albert Wu, Kevin Morooney
Intellectual Property Reminder - All Internet2 activities are governed by the Internet2 Intellectual Property Framework.
Public Content Notice - TAC minutes are public documents. Please let the TAC and note taker know if you plan to discuss something of a sensitive nature.
T&I and Ops Updates
New Discovery Service is in production.
The new Federation Manager release is scheduled for next Wednesday, May 13.
Still getting identity providers adopting R&S - 33 that have joined since our push began on March 27.
Via email from Heather Flanagan:
Asia-Pacific: Some of you may be familiar with the BACKFIRE project that focused on improving knowledge around FIM and e-infrastructure in Asia (see https://refeds.org/a/1877 for an old REFEDS post about it). That project completed, and a new one is starting called “iFire”. The TF-IAM group will be coordinating monthly meetings and regular workshops; I will be participating as much as possible to make sure information is shared between regions.
South/Central America - RedCLARA has been organizing quite a bit of outreach in their region as they help member campuses respond to suddenly going remote thanks to COVID-19. Their annual meeting, TICAL, will be held virtually from August 31 - September 2 in coordination with the Latin-American e-Science meeting. They haven’t sorted out their program yet (the CfP only closed on 20 April) but this is a conference worth watching for.
Africa - a new program is coming up later this month called IST-Africa 2020 (http://www.ist-africa.org/Conference2020). To be held online from May 18-22, there is a LOT of content coming through here! They have 31 sessions and 95 presenters, representing organizations from 21 countries. I think we are remiss in watching and learning from what’s happening in Africa, so if you have some time to check this out, I think it will be worthwhile.
Seamless Access Update
Heather will provide a regular update, as activity is increasing. The latest SA newsletter mentioned the IAM Online (May 13) and the Scholarly Kitchen blog area.
The long-range plan is for SA to be available to many verticals, but research and education are currently at the forefront. There have been questions from libraries that are not higher ed libraries, given that the communications thus far have said an organization needs to be in an eduGAIN federation. It would be a good idea for InCommon and OCLC to discuss this.
Deployment Profile survey response and action items
Recommendation 1: Changing encryption algorithms - Goal to move to GCM (which is the default in Shibboleth IdPv4). There will likely be issues with some SPs that don’t currently support GCM. How do we minimize breakage? There was a question about whether there are compliance issues (federal standards, for instance)? No one on the call was sure.
TAC then had a discussion about the issues with current encryption methods and related items. Today, InCommon’s stance is that we trust the SP to follow current encryption standards.
Discussion centered on the below portion of the deployment profile. Has/should InCommon adopt this?
[SDP-IDP11] In the event the HTTP-POST binding [SAML2Bind] is used, assertions MUST be encrypted and transmitted via a <saml:EncryptedAssertion> element. Information intended for the consumption of the SP MUST NOT be further encrypted via <saml:EncryptedID> or <saml:EncryptedAttribute> constructs.
There was consensus that we need to signal the move to GCM and related issues to SPs as early as possible; e.g., this is an important security measure and you need to be doing this or getting it on your roadmap.
There was further discussion about whether we need a vehicle or program, separate from Baseline, that provides guidance to participants – something along the lines of "you won’t be kicked out if you don’t do this, but we don’t tolerate this." Some other federations state the expectation that members comply with SAML2int, but don’t remove an organization if it does not.
Further discussion will take place in the next TAC meeting.