Minutes

Attendees: Keith Wessel, Mark Rank, Eric Goodman, Joanne Boomer, Derek Eiler, Judith Bush, Heather Flanagan, Steven Premeau, Matthew Economou, Marina Krenz

Reps from other groups: David St Pierre Bantz (CTAB)

Staff / SME: David Walker, Steve Zoppi, Kevin Morooney, Nicole Roy, Albert Wu, Ann West, Andrew Scott, 

Scribes: Mark Rank, Jr. Assistant Scribe: Eric Goodman

Updates

• Question about cert service – has been answered and probably handled at CACTI
• Question – invite about CACTI .. optional? On agenda
• Reminder no meeting for 4wks because of base camp
• Invitation to join CACTI on 7/19 (encouraged)
  • Invite to join the first hour at 1:30p EDT for visit with NIST folks related to 800-63-4. Also a workshop coming up to review 3400+ community comments
• T&I / Operations
  • Second Muse engagement to do the work with the community and do the data/doc development. Doing in July
  • TAC will be surveyed
  • Goal to have draft after TechEx
  • Thanks in advance
    • Org diversity is looking good
  • Using intermediate certs — AWS rolled both cert and intermediate cert. Caused issues. Are regrouping
  • Also tracking a login issue causing folks to logout. There is some monitoring now in place to troubleshoot. Suspect issue with AWS CDN/LBs
  • Future planning update
    •  BaseCAMP count low-mid 80’s
• International update sent
• CTAB - discussion of priorities, no issues for call out

Scoping federation testing work - Matthew/Albert

1. Various groups have desire to have tresting suits to make onboarding easier
2. Seeing generational turnover – there is a set of “institutional knowledge” 
3. Incoming staff at existing orgs and new orgs don’t have this knowledge / practices
4. Desire to have something to test things are working.
5. Most of the materials to date assume “IAM Architected” level
6. “It’s hard to tell if things are working correctly”
7. How does the Academy advance our objectives 
8. “Gamify” the process (the SSL Labs tooling as example)
9. “How do I know my stuff works” vs “How do we drive adoption of practices”

1. 1. What can TAC do to make this useful
      1. Must have vs nice to have
      1. More a question “What about federation interop do we care about”
      2. What is success/fail criteria and measurement
      1. How to handle error handling
      2. What do we care about?
      3. What beyond SAML do we care about 
      4. Example
   2. What are other federation operations doing
      1. Are there practices to adopt, yes and yes
      2. CAF “Test federation”
      3. French has tools
      4. Possible area to start with
   3. Maybe start with survey of existing things 
      1. A tool like this, if adopted, can help drive behavior
      2. Matthew willing to start pulling together a survey
      3. I would also point to https://cilogon.org/testidp as a tool in the field
      4. Could we reach out to the SSL creator for feedback
   4. Matthew taking lead – asking for a scoping discussion
   5. Problem statement
   6. What is something practical to output

• Suggestion: Look for a quick round of discovery of existing tools. E.g., to be completed by TechEx. Review there. Matthew will initiate this discovery. 

1. 1. 1. Question is “What could you test about deployment behaviors?”
         1. Dave thinks of testing as a library of stub/simple apps that people could integrate with for their testing.
         2. Judith: testing certificate rolling could be done
         3. Tests likely vary over time (in terms of which are most interesting as things change). Would also need some way to maintain and update the test suite

A meta discussion - balancing the future of federation: how do we guide the community forward? - Albert

1. 1. How do we continue to move forward while still supporting the things that have made us successful? 
   2. How do we decide when to sunset support/recommendations from the past. 
      1. Juggling new “portfolio items” like wallets/did
   3. What are the things we really care about in federation? 
      1. InCommon model assumes a couple of things, that don’t necessarily align with SaaS vendor approaches (or DID):
         1. Content owners also oversee the configuration of the SP. I.e., what organizations (IdPs) are trusted, what attributes are consumed. With SaaS services, the content owner is removed from the SP config, and IdP integrations are driven by bilateral contracts between SaaS vendor and orgs, not content owners (traditional SPs) and orgs
         2. Users are authenticating related to their organizational association. I.e., I log into your research project with my “campus identity”. SaaS vendors support “anyone can log in with an email address”; an organizational association is optional.
      2. We discuss multilateral federation so much, and don’t really consider bilateral (vendor-centric) federation as “InCommon style” federation. 
      3. Lots of comments that I wasn’t taking notes on about the differences. (Not that either is incorrect, just calling out a mindset mismatch we should keep in mind.)
   4. Premise: We have become very successful. 
   5. There are a lot of deployment type issues that are not really related to the technology. E.g., MS recently released an advisory that SPs using “Login with MS” are using the asserted email address (which can be self-asserted) rather than the “sub” claim to identify users. This is not a technical limitation, it’s a failure of implementers to understand the relevance/appropriateness of different attributes. But MS took the action to block their IdPs from releasing email addresses unless the IdP is also operated by the owner of the email domain being asserted. In InCommon terms, MS essentially made email address a “scoped” attribute. 
   6. i would love to see incommon take a less protocol-centric approach to federation. federation testing is going to take a different flavor for, e.g. saml (where incommon has less visibility into what the idps and sps are doing) vs. say radius / eduroam (where the top leve

Email Updates

CACTI

from Steve P.:

During its last meeting, CACTI primarily discussed plans and goals for the conversation with NIST currently scheduled for the first hour of the July 19th meeting (TAC members have been invited to that conversation.) 

A response was received from the eduroam Advisory Committee regarding the potential impacts of proposed changes to the RADIUS protocol.  

(The full response should be in the CACTI public minutes soon to be published.  My TL;DR version - a full response will take more discussion, but eAC saw an opportunity to leverage a forthcoming Best Practices guide to address some of the concerns.)

International

from Heather F:

• It's summer time, which means Europe has evaporated as everyone takes vacation.
• The Asia-Pacific region, however, has announced its next APAN meeting, which includes the Identity and Access Management Task Force. The next meeting is 21-25 August in Sri Lanka.

REFEDS

• The MFA Profile v1.2 consultation has now closed. The REFEDS Assurance WG will respond to the comments over the next few weeks.
• The consultation for the REFEDS Assurance Framework v2.0 is still open through 26 July. Please take a moment to review the materials and add your comments to the consultation page. Note that a note that indicates support is entirely welcome; it lets the group know the material has been seen.

Other news

• NIST is hosting a workshop regarding plans NIST has to address the 3400 comments they received on 800-63-4. Registration for this hybrid event on July 25 is here: https://www.nccoe.nist.gov/get-involved/attend-events/digital-identity-whats-next-nist

Next Call @ July 27, 2023

(July 13 meeting cancelled)