Draft Minutes, Assurance Implementers Call, 5-June-2013
Attending
Ann West, InCommon
Mary Dunker, Virginia Tech
Wes Hubert, University of Kansas
Eric Goodman, UCOP
Mark Rank, UCSF
Diane Sheldon-ku, Duo Security
Dave Langenberg, U. Chicago
Brett Bieber, Univ. of Nebraska, Lincoln
Jeff Capehart, University of Florida
Steven Carmody, Brown
David Walker, InCommon
Mark Jones, UT Houston-HSS
Benn Oshrin, Berkeley/NYU/Spherical Cow Consulting, LLC
Emily Eisbruch, Internet2, scribe
DISCUSSION
Shib IdP Enhancements
The Shib IdP Enhancements RFP submission period has closed. Responses are being reviewed and announcement of the selected RFP should occur in about one month. The goal is that the work will be completed by the end of 2013.
CIC Assurance Documentation Grouphttp://bit.ly/Yu2erK
Jim Green, who has been leading the CIC Assurance Documentation group, has been reassigned to a new position at Michigan State University. New leadership is being sought for this group, which meets monthly to share experiences and documentation around Assurance adoption. Let Jim know if you can help.
Assurance Advisory Committee
Mary noted that the AAC appreciated the feedback that was provided on the May 8 Assurance Implementers call about campus impacts of making Bronze a baseline standard for InCommon IdPs. The AAC is exploring this idea and will report back.
...
A: The current discussions center on Level 1 InCommon Members achieving Bronze in 18 months. IdPs in other tiers are given a longer time, with increments of six months being used for each additional pricing tier. Tiers are shown here: http://www.incommon.org/fees.html
David noted that POPs are hard to enforce, and easily become out of date, and that the Bronze Assurance program is more scalable.
"Failed Authentication Counter" Proposalhttp://bit.ly/1b1A1L7
Benn reviewed his "Failed Authentication Counter" proposal. The goal is to develop a more workable approach to the password entropy calculation requirements in the assurance profiles. The current requirements are not suitable for some institutions, such as UC Berkeley and NYU. The proposed "Failed Authentication Counter" approach is simpler; it counts the number of failed authentication attempts and takes action -- such as to lock out the credential -- when that count crosses a threshold.
...
Moving forward, Benn will spin up a subgroup to look at this proposal.
AD Alternative Means Work
http://bit.ly/14CPlPuhttps://spaces.at.internet2.edu/display/InCAssurance/AD+Alternative+Means+-+2013
Eric reported that the AD Alternative Means Group is making good progress. The group's charge is to analyze using AD to comply with the IAPs, and develop guidance and specific pre-approved Alternative Means to bridge any gaps. The group has found that most of the topics are already covered in the AD Cookbook developed under the leadership of Nick Roy:https://spaces.at.internet2.edu/display/InCAssurance/InCommon+Silver+with+Active+Directory+Domain+Services+Cookbook
The AD Cookbook gives general advice in most cases, and this group is trying to be more specific on whether or not AD meets the requirements under certain configurations. Also when the AD Cookbook written, the spec was at 1.1 and there are some relevant changes with the new IAP 1.2. Important gaps for AD-specific issues are around support of insecure protocols for backwards compatibility. Some of the elements that were originally just recommended in the AD cookbook are now being required, such as using BitLocker or something like it to secure the AD Password stores.
...
Ann: once the updates to the AD cookbook are farther along, we will send out info to the Assurance and InCommon participants lists and solicit for Community review.
Other QuestionsSHA-1 Question
DaveL: SHA-1 won't be approved after Dec 31, 2013. This could cause a problem for InCommon Assurance, since few browsers support SHA-2
...