Minutes

Attendees: Heather Flanagan, Judith Bush, Matt Porter, Keith Wessel, Eric Goodman, Mark Rank, Joanne Boomer, Steven Premeau, David St PIerre Bantz (CTAB)

With (Also Starring): David Bantz, Albert Wu, David Walker, Nicole Roy, IJ Kim
Regrets: Les Lescroix, Matt Brookover
Scribes: Eric G, Steven P, Judith B

• Discussion of scribing inadequacies writ large. 
• Noted that the internet is broken, so people are distracted. 
• IP framework/public content reminders

Agenda Bash

• None

Updates

• T&I / Ops
  • AWS CloudFront in front of Federation Manager – provides IPv6 and custom error pages.
  • EntityID validation express opinions and any significant concerns  by end of this week.  See below for email
    • Have 3 votes so far

• PROVIDE YOUR INPUT BY 8/1 Start of BUSINESS (if you’re going to)

• • Silence=consent
  • SP Proxy group starting up
    • There is a starter discussion doc available : https://docs.google.com/document/d/12X3hK82MVxePY_DSE1Pj5NbRzlWsf6rncm5yxPefPww/edit#
• The REFEDS MFA groups profile update work is getting close to wrapping up:
  • REFEDS MFA Profile proposal
  • we are looking for OIDC experts to help us vet th OIDC binding section
    • Esp with regard to ensuring the recommendations are implementable and are in line with the “prevailing use” of the constructs in the OIDC spec. (E.g., use of authentication contexts, “max_age”)
• Profile Testing group has proposed a Tech Ex workshop, no other progress

Review Deployment Profile Value Statement

• Deployment Profile Adoption - Value Statement 
• Useful feedback and +1s received.
• Biggest gap remaining: What (if anything) do we want to propose as IDP/SP actions in the next 12-18 months?
• Has there been sufficient progress for the subgroup to reconvenet?
• Plan to reconvene; Albert to schedule. If interested in participating, contact Albert. 

DID/VC/Wallet

• Albert/Heather/Keith discussed potential “emerging topics” that InCommon should be looking at. 
  • Currently we’re a SAML federation focused org.
    • With TAP products as a good value add.
  • What other areas should we be looking at?
  • We need to get people (TAC and community) “on the same page” about what we are talking about so we can have an informed community.
    • DID/VC/Wallet Seminar as an example
  • Change Management at this scale is very difficult
• Poll Question for TAC to get a read of the room
  • “Given what you know of the topic, how do you think consumer-centric IAM will impact your IAM in the next 3 years?”
    • 50% - “I don’t yet know enough to make a meaningful assessment.”
    • 42% - “I am going to need to deal with this, though its more of an opportunity than a threat.”
    • 8% - “It poses an existential threat to my IAM thingy.”
    • 0% - “It’s a non-issue.”
• Nicole reports her leadership has approved her to do a deep dive into learning about “wallets etc” 
• Eric: “More information” should include actual implementation examples. Most examples I’ve seen are conceptual “what it could do”/”what is the technical model” without working examples. 
• This may require entire meetings of “presentations” on these topics.
• The difficult problems (key management, inter-agency trust) appear to be largely “hand-waved” at in current proposals. Are there concrete examples of using this?
  • DW: We (InCommon, REFEDS) should be driving the answers to these questions
  • Does “more information” point to the need for R&E federation community to do work to  resolve questions?
  • There may not be large enough scale working models to help answer these questions. 
  • InCommon has a history of doing this for SAML
  • What was the history for rolling out SAML federation originally? Does this provide a useful use case to apply/inform how to approach this one?
  • Does it make sense for InCommon to manage (or host) a POC service to allow testing of this stuff? 
  • Fed 2.0 discussion included the idea that Authentication may not be a problem campuses need to solve. 
    • E.g., with Passkeys, etc. people may bring their own authentication.
    • But the communication of claims and trust associated with the identity’s affiliation with the campus is what InCommon/federations/member institutions could still lead. 
    • Via EZProxy, and other products that are pushing longer sessions; how should the point of authentication and session length control these things as authentication. 
    • This element is similar to the “bring your own email” discussions.  
  • Seems like with FIDO/passkey etc. we will see Authentication (password/account management) separate from the User Identification (association of attributes) and Authorization (access). 
  • And still the question is What is the role of the Federation in this kind of Trust/Identity fabric?
    • Need to coordinate with GEANT on this. (It’s GEANT doing this work currently, not REFEDS.)
  • May want Neils to come do the presentation (Heather has sent Niels email to see if we can get him on the schedule)
    • Slides  for that presentation https://wiki.geant.org/download/attachments/408715377/Jurjen-%20Braakhekke-GEANT%20Innovation%20Programme%202021.pdf?version=1&modificationDate=1646383590072&api=v2

• AI: Heather will try to invite Neils to attend a future meeting.

Emailed Updates

Browser update

Date: Wed, 27 Jul 2022 14:21:43 -0700
From: Heather Flanagan 
Subject: Browser update

Really just the one big update for my list of things:

https://blog.google/products/chrome/update-testing-privacy-sandbox-web/

Tl;dr:

Third-party cookie deprecation is further delayed in Chrome. (This is both a good and bad thing.)

CACTI Update - 2022-July-19

(Note I was able to attend this meeting, this update is from the to-be-published minutes.)

1. Working group updates
1. SAML subject identifier adoption WG  - We have indicated this is no longer an active priority in TAC, but can be (re)started when it does become a priority again.
2. Linking SSO WG -- last meeting was canceled in favor of members working on documenting use cases.  There is a meeting next week which will start discussing the results of those write-ups.  WG work-product is expected to be published in late fall.
2. Comms assignment(s)/volunteer(s) for 1H22 
3. Post-quantum crypto 

InCommon Federation’s metadata entity ID validation rule email

On 07Jun2022 at 09:03:29, Albert Wu <awu@internet2.edu> wrote:

Hello everyone, 

I presented a proposal to change the InCommon Federation’s metadata entity ID validation rule in last week’s TAC call. To keep things moving, as mentioned on the call, I’d like to collect your thoughts/feedback/recommendation here. Which of the following options do you recommend?

 (In case you missed the discussion, the proposal write up is here: https://docs.google.com/document/d/1B9-OlMgtuik4G_hADLFkbWwcwZv1XIu0gtppqjyal9c/edit#heading=h.hks6tdf7r4t0)

Question: How should InCommon move forward regarding metadata entity ID validation and its current role to generate engagement opportunity to talk to those who might be using a incompatible product?

 These are the options under consideration:

Option 1: The full works

This option relaxes DCV (entity ID only) requirements and introduces as much compensating measure as possible.

• Eliminate DCV requirements on entity ID
• Allow URN format entity IDs (InCommon currently blocks new registrations from using URN formatted entity IDs)
• Create event triggers in Federation Manager – alert RAs when a known incompatible product (and its system generated entity ID) is being registered in InCommon; display warning to SA with link to detailed material explaining the incompatibility and their options
• On entity ID registration, check eduGAIN metadata for entity ID uniqueness
• To detect potential domain abuse, check current known scopes (in all metadata); notify appropriate parties (Scope registrant)

 Option 2: Relax DCV; verify uniqueness within InCommon only

This option relaxes DCV (entity ID only) requirements and addresses the primary value we gain from perform DCV on entity ID today.

 Eliminate DCV requirements on entity ID

• Allow URN format entity IDs (InCommon currently blocks new registrations from using URN formatted entity IDs)
• Create event triggers in Federation Manager – alert RAs when a known incompatible product (and its system generated entity ID) is being registered in InCommon; display warning to SA with link to detailed material explaining the incompatibility and their options
• On entity ID registration, check InCommon metadata for entity ID uniqueness 

  Option 3: Do nothing

• Continue current entity ID validation practice. No change.