Minutes

Attendees: Derek Eiler, Steven Premeau, Joanne Boomer, Eric Goodman, Keith Wessel, Judith Bush, Mark Rank, Matthew Economou, 

Reps from other groups: Les LaCroix (CACTI), David Bantz (CTAB)

Staff: IJ Kim, Ann West, Steve Zoppi, Nicole Roy, Albert Wu, 

Others: David Walker

Regrets: Heather

Scribes: Judith & Eric

Status updates from InCommon or Trusted Identity staff: none:

No comments on the email status updates.

draft 2022 TAC Accomplishment Reports

Any comments and concerns? We will get a document identifier, check it in, and circulate the link.  It may be mentioned in a newsletter. Some memory that there is some announcement made that all three accomplishment reports are available. Keith will deliver to steering.

Albert referenced that there are some questions in comments on the draft report that should be resolved.

• What page is the draft wiki page (in the Adopt SAML Deployment Profile - Next Steps section)
• The outcome of that work was a draft [strike the word draft?]  wiki page to document what’s changing and why. This page, if we recall, is from 2021, not an accomplishment from 2022]  This page would serve as a central point of reference throughout the multi-year process of profile adoption. The group also drafted a value statement to be included on that page and initial communications to explain why these changes are being made. 
• Will make clear the document was previously made as  the focal point for the multiyear process.

• Also looking for a link to Neils’ presentation from TechEx

Discussed some other edits that Albert will work on.\

NIST 800-63-4 review

Tom Barton, with Albert as flywheel, would head a workgroup from CTAB+CACTI to review and comment. Shall we join, and if we do, who would participate. The initial readthrough suggests that there will be impacts on the assurance levels that will cause challenges with mapping to the REFEDS levels (“IAL1 baseline might be what we consider the hardest part.”) Would need to be done during the first week in March as comments due back 11:59pm Eastern Time on March 24th

• https://pages.nist.gov/800-63-4/ 

We have interested persons, Eric and Joanne and Keith – any others for a doodle poll for meeting planning?

Nicole notes that each group will look at it from different perspectives. Part c will be important for TAC to review.

Should we include someone from NIH? Kyle Lewis might?  Matthew will ask Kyle about NIH participation.

draft 2023 TAC work plan

Looking to identify a “theme” for the year’s goals. Last year’s was “Making Federation Easier”. Possible themes or overarching foci are:

• Demonstrate value (leadership); TAC leading in new directions (e.g., wallets, subject-id)
• As in “in the direction that federation is currently going”
• Get ahead of problems/anticipate the future
• This may be the pessimistic version of the previous example
• Keep federation relevant

Those may all be the same item. All are forward looking to see what changes are coming, and lhow to ensure federations are providing guidance and services that align with providing users access to resources in the future - but real - changes to the authentication/federation landscape.

How to tie the institution’s “model of the user” into the broader authentication infrastructure.

Can we avoid the word “future” in our theme for the year? 

How does open federation model map to browser model and vendor models. Challenge is that the open federation needs seem disconnected from the on campus/vendor integration forms of federation.

Nicole suggests, “Build community awareness of changes that will impact our user communities, enable the conversations to identify the roadmap items for InCommon to implement.”  

Can we meet emerging needs with the disruptions? 

Can we deal with the not-threats but changes, opportunities?

Keith asks that everyone ponder the discussion, including chat input (below) for next meeting.

Keith invites us to review the workplan items and see if any can be removed, postponed:

Some items (NIST) will be done in March while others (middlethings) may spin up mid year. Other things are cross committee/group efforts. So some work could be other groups - wallets would be TAC or CACTI? 

BACK to draft 2022 TAC Accomplishment Reports

No concerns with approving the 2022 report given the revision.

Email Updates

CACTI Updates

From Steven Premeau:

For their first meeting of 2023, CACTI discussed the following:

• Member introductions
• Team operating logistics.
• Strategic Response to latest LassPass breach information.
• A draft of an "advice" article is being worked on by a subgroup.

CTAB Update 

From Eric Goodman:

One of the larger topics that was discussed was the NIST 800-63-4 proposed revisions.

• Kyle Lewis has already done a lot of work reviewing the draft and putting together comments on it.
• CTAB is planning to put together a workgroup to collect comments and an overall review for submission to NIST
• Tom Barton has voluntold to be the chair of this team, with Albert as Flywheel.
• TAC (we) and CACTI have also considered or agreed to create workgroups with the same goal.
• The approach will probably be to create one wokgroup that contains interested parties from all three groups.
• A Slack channel has been created on the I2 slack to facilitate discussion.
• Contact Albert(?) for invites

Beyond that, we discussed the 2023 workplan and the items therein.

• The NIST review (above) is likely to be an item on that workplan
• Framing the next chapter of federation maturity
• Not specifically about compliance
• Helping provide specific guidance to deployers, especially new federation members
• Consolidating/clarifying documentation, etc.
• Clarity on BE enforcement, operationalizing baseline
• InCommon (organizationally) called out the need to get specific guidance in this area, as it will drive, e.g., staff assignments and internal project priorities
• Assurance
• Next steps
• Assured access working group?
• RAF overlap?

Last items were around SIRTFI

• Asserting SIRTFI and BE2
  • No hard deadline for asserting SIRTFI (i.e., don’t remove people for not having it)
  • But update metadata management process to require self-assertion compliance for as part of other workflows (e.g., potentially updating metadata)
• Not all entities are asserting support
• Steering had concerns about removing institutions from the federation if this was their only BE gap
• Proposed direction forward (by steering?)
• SIRTFI working group
• Goal is to have regular SIRTFI exercises, last year’s was not intended as a one-time event.
• CTAB (Kyle) will work with I2 (Albert) to kick off communications for this year’s exercise.

International/Browser Updates

From Heather Flanagan:

International Update
REFEDS

• The REFEDS Steering Committee (SC) has approved the Anonymous, Pseudonymous, and Personalized Entity Categories.
• The MFA Profile v1.1 has concluded the community comment period. Next steps are for the working group to consider and respond to those comments before submitting the final spec to the SC for approval. 
• The REFEDS 2023 work plan will likely be approved this month, and we are planning on a Community Chat on Wednesday, 22 February to discuss that and how to increase community engagement. On 30 March, another Browser Update chat is being added to the book. 

Conferences

• The TNC23 Program Committee is meeting next week at the GÉANT offices in Amsteram to make final decisions on the submitted sessions. A draft agenda should be out soon.
• An informal list of interesting and relevant conferences for the IAM community is under development here: https://github.com/fedidcg/meetings/wiki/List-of-Identity-and-Related-Conferences---2023 

Browser Interactions

• The FedCM EDU Hackathon is scheduled for 28 February and 1 March, all day both days, in the SF Bay area. Developers from the Shib consortium, SeamlessAccess, SSP, and fedops are planning to be there. A group is meeting every other week to sort out exactly what we are going to try and accomplish that week, and are setting up the test environments now.
• Note that Google is definitely promoting Storage Access API as another option to help with certain kinds of cookie use cases.
• The FedID CG will be discussing a new proposal next week (23 January) from Mozilla about not requiring an API for IdPs. The following week we're going to focus on the Multiple IdP proposed solution within FedCM; we're hoping that Mozilla and Apple will be ready to formally take a position on the proposal at that time.

Next Call @ February 9, 2023