Minutes

Attending

Keith Wessel, Mark Rank, Matt Brookover, Heather Flanagan, Joanne Boomer, Judith Bush, Steven Premeau, Eric Goodman, Matthew Economou

With (Also Starring): David St Pierre Bantz (CTAB), Les LaCroix (CACTI), Johnny Lasker (Internet2), IJ Kim(Internet2), Ann West(Internet2), Albert Wu ((Internet2), Kevin(Internet2), Nichole Roy(Internet2), Steve Zoppi(Internet2)

Notes

TAC Meeting 2022-04-07

1. Intellectual Property Reminder  - All Internet2 activities are governed by the  Internet2 Intellectual Property Framework.
• done
2. Public Content Notice  - TAC minutes are public documents. Please let the TAC and note taker know if you plan to discuss something of a sensitive nature.
• done
3. Call for scribe volunteers ( 2 per call) - recording / transcription available

• Mark Rank volunteered, Eric Goodman

1. Agenda Bash + request for notable working and advisory group updates
   • No new agenda items
2. Status Updates - Q&A (10 minutes)
   • Ops send ahead (thanks Nicole)
     1. Albert reported IdPaaS moving forward 
        1. Good mix of campus and service provider 
        2. No name yet
   • International shared in email
   • CACTI
     1. Emailed update items:
        1. Reviewed a draft version of Q1 CACTI accomplishments.
        2. Briefly discussed the Linking SSO systems WG (which since has held it's kickoff meeting on April 6th)
        3. Continued discussion of the themes present in the survey of CACTI members.
     2. Wants clarity on whether TAC has participation desired in support of subject-id proposal
   • Discovery discussion will come up with Steering in June (due to full agenda for April) – will be combined with Seamlessaccess agenda item
   • Testing
     1. Limited attendance, mostly catching new folks up
   • CTAB
     1. Discussion of workplan, some cleanup of workplan and members “signing up” for specific items.
     2. Part one of TLS security requirements discussion to happen “offline” form CTAB meeting
     3. REFEDS MFA subgroup continues to meet (not really a CTAB group, but affiliated with them)
3. (15 min) 2022 Work Plan Status - a walk through (Heather)
   • Doc at: https://spaces.at.internet2.edu/display/inctac/InCommon+TAC+2022+Work+Plan#InCommonTAC2022WorkPlan-2022WorkPlanItems
   • Deployment profile
     1. Mark will schedule a meeting
     2. Next steps to put out a communication about and problem statement for the SLO issue.
     3. Challenge of dealing with community burnout/overwhelm on multiple sets of requirements, specifically thinking about deployment profile vs. BE, but could also include others.
     4. Potential combined CTAB/TAC meeting (or chairs meeting) to try to align the efforts and communications here.
   • Subject ID
     1. Mark and Matt E both listed; Matt will take next steps
     2. Reminder that a starter work plan exists on the work plan page and starter doc exists here: https://docs.google.com/document/d/1W10faK0yswGYgA_llEu1P44XyZAOvRwMVqHap42Ivhw/edit
     3. Steve will add CACTI volunteers to the list.
   • Federation Testing
     1. Albert level set, Judith is point
     2. Updates – it is moving forward
     3. Have work in progress on test designs / definitions but nothing to share yet
     4. How to structure tests and interpret tests
     5. Require larger participation as it evolves
     6. Pitch to have a “test-a-thon” at ACAMP (a la hackathon)
   • Future of federations (aka federation wallets)
     1. Have a charter
     2. Committees value but community is kinda silent
     3. Data point - Nicole is on the incubator board for Geant. There are some proposals and the work may need to continue there
     4. KK also observed that the challenge is defining the problem
     5. Heather will touch base with CACTI and talk about next steps
   • Also have standing items that we don’t want to lose sight of
     1. Browser work
     2. HECVAT work
        1. Steve P will follow up on their review cycle
     3. Guidance for entityID change/use
        1. Likely overlap with the emerging federation evolution
        2. Mark R will be “steward” instead of leader
4. (15 min) Overview of emerging federation evolution issues - continued (Albert)
   • Catch folks up
     1. Last call talked about proxies
   • Next item - Regional … / third-party certifiers
     1. Need for annotation to entities metadata (the UC Trust use case)
        1. E.g., “UC Trust approved this SP to receive this data” 
        2. Would only be trusted by a specific set of IdPs/SP
     2. There are needs for umbrella org to add context
     3. Also useful for a better positioned org to certify entities (for example third-party certify R&S)
     4. Mechanically not very challenging – some mods to federation manager and specs
     5. Also NRENs
     6. Question - how to reflect this
     7. Different from the “delegation” use case
     8. Level of interest (in implementing) may be low 
        1. Eric G - so few products support this capability (for example affiliation descriptors)
        2. Keith W - been trying to do this for system but challenging 
        3. Regarding to R&S, What is the impact of new entityCategories
        4. Steve P - trying to do this, the information to add may be of limited value to the rest of the federation.  
        5. Heather F - current R&S category will not change by the R&S V2 – the new categories just focus on what attributes are needed.
        6. Judith B - How does the OAuth federation work factor into this. Might be useful to consider harmony with that work.
        7. Might be more of a consortium use case to label groups
        8. This is needed for internal stuff that the federation may not need to care about. 
        9. Example (if Eric G understands the spec correctly) using AffiliationDescriptor 
           1. https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf section 2.5
           2. UC Trust publishes a new entity
           3.  <EntityDescriptor entityID=UCTrustAcceptableEntities.ucop.edu> // my entity, not the SP, not the IdP
                <AffiliationDescriptor ID=UCTrustApproval>
              <AffiliateMember>entityID1</AffiliateMember>
              <AffiliateMember>entityID2</AffiliateMember>
              </AffiliationDescriptor>
              </EntityDescriptor>
5. (remainder) Introduction: Proposal to update entity ID validation rules (Albert)

Email Updates

International, SeamlessAccess, Browsers, Wallets

Subject: TAC Update: International, SeamlessAccess, Browsers, Wallets

From: Heather Flanagan
Sent On: Thur, April 7, 2022

International Update
REFEDS

• Two consultations are currently open: SCHAC 1.6.0 and Sirtfi v2. SCHAC 1.6.0 deprecates schacGender, and Sirtfi v2 focuses on editorial clarity and a new assertion that requires security contacts of entities participating in Sirtfi to be notified when a security incident investigation suggests that those entities are involved in the incident. The consultations are open until May 2 and 3, respectively. More information can be found on the consultations page: https://wiki.refeds.org/display/CON
• The TNC22 agenda has been posted. If you plan to attend, please register now. It helps the organizers plan the event.
• The REFEDS Community Chat event on Browsers and Federation was recorded. The recording is available in the new REFEDS Youtube channel: https://www.youtube.com/channel/UCe1C_xlHQisU18XsOJ58THg. The next Community Chat will be on Thursday, April 14, and will discuss the results of the REFEDS Annual Survey.

IIW

• The Internet Identity Workshop will hold an in-person event in Mountain View, CA, April 26-28. As usual, it is an unconference, so topics will be whatever folks bring with them to discuss. There are several people already planning on several browser privacy sessions.

Identiverse

• Identiverse is an excellent identity-focused conference. It is being held in Denver, CO, June 20-24 (the week after TNC). As higher ed outsources more of their IAM products and services, this kind of conference that looks at IAM more in the commercial and enterprise space is particularly useful.

SeamlessAccess
Heather Flanagan is stepping down from her role with SeamlessAccess. She is wrapping up the work on WAYF Entry Disambiguation and then will not be directly engaged with the project going forward. (It's been six years and the project has matured enough to move on to a different phase of operation.)

The Contract Language Working Group has received a number of comments on their proposed template for contract language that libraries can use with publishers to support federated identity. Expect a report out on that shortly.

The American Library Association (ALA) Core Federated Authentication Committee has agreed to join the SeamlessAccess Governance Committee. This is great news for the project, as stronger library representation has always been a goal.

The product roadmap is always available to the public: https://seamlessaccess.org/services/

Browser Interactions
One of the more useful pieces of work coming out of the Federated Identity Community Group is a table that highlights what protocol elements (aka, primitives) will be impacted by the changes we expect to be made by the browsers to address privacy concerns.

• https://github.com/fedidcg/use-case-library/wiki/Primitives-by-Use-Case
• https://github.com/fedidcg/use-case-library/wiki/Third-party-cookie-mitigations

Also of interest is a new draft document coming out of the W3C Privacy CG that catalogs what different browsers are doing with regards to link decoration (aka, navigation-based tracking). This document does not offer an API or any specific architecture to address link decoration tracking, but it is an interesting view on how different browsers are currently handling the problem. See: https://privacycg.github.io/nav-tracking-mitigations/

Wallets and Federation
A notice went out to InCommon participants; only one organization has responded.

CACTI update

Subject: CACTI Update - 2022-03-29

From: Steven Premeau
Sent On: Thur, April 7, 2022

• Reviewed a draft version of Q1 CACTI accomplishments.
• Briefly discussed the Linking SSO systems WG (which since has held it's kickoff meeting on April 6th)
• Continued discussion of the themes present in the survey of CACTI members.

Separate from the official update, more of a note for today's meeting:

  There was a question about our ad-hoc subject identifier group, mostly wondering when the CACTI volunteers might be contacted, which I think we'll be able to answer as we check in on the work plan items in today's meeting.

Steve.

Ops update

Subject: Ops updates

From: Nicole Roy
Sent On: Thur, April 7, 2022

Hello,

A brief ops update today: The eduGAIN ops team has created a new eduGAIN metadata signing key, and are in the process of migrating to it. InCommon and all other federations which consume eduGAIN metadata must switch to use of this new key for verifying the signature on eduGAIN metadata by 00:00Z on July 1, 2022. We have engaged Ian Young to help us with this change to our Shibboleth Metadata Aggregator deployment. More info is available at: https://technical.edugain.org/metadata

Best,

Nicole