Date: Thu, 28 Mar 2024 20:37:00 +0000 (UTC)
Message-ID: <2062671707.6963.1711658220953@ip-10-10-7-29.ec2.internal>
Subject: Exported From Confluence
MIME-Version: 1.0
Content-Type: multipart/related;
boundary="----=_Part_6962_488911103.1711658220952"
------=_Part_6962_488911103.1711658220952
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Content-Location: file:///C:/exported.html
CACTI Call June 9, 2020
Attending
Members
- Tom Jordan, University of Wisc - Madison (chair)
- Jill Gemmill, Clemson (vice chair)
- Rob Carter, Duke
- Matthew Economou, InCommon TAC Representative to CACTI  =
;
- Michael Grady, Unicon
- Karen Herrington, Virginia Tech
- Les LaCroix, Carleton College
- Chris Phillips, CANARIE
- Bill Thompson, Lafayette College
Internet2
- Kevin Morooney
- Ann West
- Steve Zoppi
- Nick Roy
- Jessica Fink
- Emily Eisbruch
- Mike Zawacki
Regrets
- Christos Kanellopoulos, GEANT
- Margaret Cullen, Painless Security
- Nathan Dors, U Washington
- Marina Adomeit, SUNET
Actio=
n Items from this call
AI Jessica - help coordinate a quarterly update from CACTI t=
o community on best practices, trends and directions
AI TomJ - Add as an agenda item for a future CACTI call: Ope=
rationalizing containers
AI TomJ - Revise identity service prospectus with
- Model for individual institution
- Model for HE identity registry
- Federation brokering service to endorse assertions
Discussion=
span>
- Agenda bash
- AI TomJ Operations should be agenda item for a future meeting)
- Update from InCommon TAC - Les
- Reminder of Hiring for IAM webinar tomorrow June 10, 2020<=
/li>
- Posted as of June 12:
Update from InCommon =
TAC - Les
- Last few InCommon TAC meetings have included discussion of <=
a class=3D"external-link" href=3D"https://seamlessaccess.org/about/communit=
y/" style=3D"text-decoration: none;">Seamless Access and Entity categories =
and attribute bundles Working Group and new proposed deployment pr=
ofile
- Three entity categories are being proposed
- Authentication only
- Anonymous Authorization
- Pseudonymous Authorization
- Use of new OASIS user identifiers, there is a bit of a chicken/eg=
g situation:
- SPs haven't been asking for them because IdP operators haven't la=
rgely implemented them yet
- Uptake is slow for IdP operators, though, because SPs haven't bee=
n asking for them
- There was a suggestion to make the new OASIS user identifier=
s part of profile and require them for InCommon
- Does CACTI have a role in moving the new entity categories and us=
er identifiers forward?
- SUBJECT ID is recommended for orgs w ADFS implementations =
span>
- EdupersontargetedID does not work well in ADFS
- See info from the Australian Access federation around NON targete=
d ID htt=
ps://aaf.edu.au/support/resources.html#aaf-core-attributes
- CACTI might offer advocacy and best practices for adoption and re=
ference implementations
- Cover operational considerations, including need for extra schema=
- There is likely a gap in how CACTI interfaces with the comm=
unity
- Baseli=
ne Expectations provides coordination and guidance community aroun=
d expectations.
- But CACTI should be calling the community=E2=80=99s attention to =
best practices and trends and directions.
- Suggestion for a periodic blog post from CACTI about t=
rends and things to be aware of
- Perhaps CACTI should commit to providing a quarterly update
- AI Jessica - help coordinate a quarterly update from CACTI to c=
ommunity on best practices, trends and directions
- Important to coordinate with InCommon TAC on the quarterly update=
s
- CACTI=E2=80=99s interaction with IDPro fits in here also=
li>
- Could be helpful to provide a one-pager on why =
subjectID is important, to provide a broader perspective
Identity and Access Management - registration service prospectus=
/next steps (Tom)
- TomJ created a draft prospectus as follow up to the discussion wi=
th UCSD about an identity and access management service at the May 267, 202=
0 CACTI call.
- Good to have Pal or others share their EDU ID story&nb=
sp; https://eduid.se/en/ <=
/li>
- Comment: A service is a compelling idea, especially if adop=
tion scenario is straightforward.
- It would be attractive if campuses could offload digital id=
entity management but still preserve the student experience and manage the =
security boundary
- There are Interesting architecture questions
=
li>
- Learning from other efforts:
- Question: What did we learn from InCommon Bronze and Silver Assur=
ance efforts that we could apply to this?
- Previous efforts that CACTI should learn from include:
- PESC and National Student Clearinghouse, and COMMIT
- Issue was around lack of funding model
- There was discussion about 5 years ago on a notary service, some =
of those notes might be relevant. Central database for identity proofing.=
span>
- AnnW: National Student Clear=
inghouse is doing similar things to what this prospective is discu=
ssing. Doing this with AACRAO. Q=
uery NSC database for matching attributes if there are none then an identif=
ier is created, for longitudinal data thru the clearing house See National=
Learner Record Index info here
- For connecting identity proofing back to risk, understanding what=
requires higher levels for identity proofing, NIST has u=
seful guidance
- Further refining the vision:
- Some use cases only require self assertion, some require stronger=
identity proofing
- Risk calculation issue could be spelled out better in the prospec=
tus
- Intrinsic and extrinsic attributes could be explained in the pros=
pectus
- Carleton relies on HR and admissions departments to do identity p=
roofing
- U Wisconsin uses I9 for employees, there is value in making=
that vetting visible to other business processes, and same for other vetti=
ng that is done
- BillT: the vetting is tightly coupled w institutional business pr=
ocess
- Is the proposal for an entity registry service or for a national =
HE entity registry?
- Use as authentication and profile management for whatever institu=
tion I go to?
- I access services thru my home institution=E2=80=99s IDP, but sti=
ll maintain my profile in a registry for all of HE
- Scoping is important
- Self sovereign identity record? IRMA? Info card idea? https://privacybydesign.f=
oundation/en/.
- Self managed identity
- In ORCID, much is self attested
- LINKEDIN for higher ed, put the user in control
- Allow the user to make a claim they have gotten a degree and prov=
ide a way to verify
- Subject attribute proxy
- Takes time to achieve buy in and big view
- Like X509, needs maintenance
- Plan for self sovereign
- Suggestion to Loop in Phil W to this discussion
- Is the info opaque to the operator of the institution?
- Risk is real if info is not opaque to operator
- But some of the significant use cases require that some data is N=
OT opaque
- Two different things: depending on whether this is for all of Hig=
her Ed or not
- Could write the prospectus in two different ways and assess the i=
nterest
- Next steps
AI Tom J Revise prospectus =
with
Model for individual institution
Model for HE identity registry
Federation brokering service to endorse assertions
Next Meeting: Tuesday, June 23rd, 2020
------=_Part_6962_488911103.1711658220952--