Page History

roll call

Jim Green -- MSU
Maryland -- David Barks, John Pfeiffer
CIC -- Galen Rafferty
Florida -- Jeff Capehart
Internet2 -- Ann West

Action items:  Jim will coordinate with David and Galen to allow David to take over leadership of this group

David Barks -- Maryland -- volunteered to take over, at least temporarily

• Is this helpful?  Is there a volunteer?  Process for volunteering in the future.  CIC IdM face-to-face
  • Face-to-face meeting -- group goals, what could CIOs, CIC, IdM task force do to help

Maryland -- still fairly new -- hate to see it languish -- maybe go quarterly -- 
If the larger group is not pushing forward, keep track of the documents at least

• Review the purpose of this group, things we've accomplished to date, and things still on the to-do list.  
  • share documentation -- any and all documents that may be needed for certification
    • management assertions
    • supporting documentation
    • alternative means statements -- AD, SHA-1
    • project planning documents
  • Toward an actual documentation cookbook? or checklist.  
  • Add more examples to documentation examples; more real examples like the VT docs
  • Improve on some of the examples, e.g. management assertions -- flesh out
  • challenges -- reluctance to share; slow progress of Silver initiatives; large amount of variation between institutions
  • Any common practices in authentication technology or identity verification processes?
  • Discuss issues relating to how things are done at the various institutions
  • Get some actual gap analyses, at least parts that may be shared
  • Some way to have an example audit report?

Ann -- Bronze cohort group -- calls to walk through the gap analysis -- use Mary Dunker's gap analysis -- identify problem areas where people have the most questions -- how do I interpret this?  how far down the stack? how are some schools addressing this?  Notes -- post on the wiki -- community guidance on how to implement pieces of Bronze -- interpretation amongst and inside individual campuses -- come to some consensus on interpretations

turn into Bronze cohort group?
assurance advisory committee looking into requiring Bronze as a basis for trust instead of just POP -- Bronze is a subset of POP -- understood target that are federally approved -- baseline for trust -- pretty important next step for the federation
increasing trust inside the federation -- current issues with the POP -- gets out of date -- doesn't scale well -- are you going to check all 50 POPs -- some complaints about lack of transparency in some of the POPs -- doesn't require audit, so equivalent to POP, but requires more work.  Keep track to reuse documentation and approach

Jeff -- Are NIH or other agencies looking to accept or require Silver.  No production services requiring Silver right now.  NIH says ERA will require Silver -- Debbie Bucci -- for finding other scientists -- NIH EVIP, their billing service, if you're invoicing NIH, that will require multi-factor, i.e. LOA 3.  Dept. of Ed. financial aid, in 2014, they're going to require Silver for financial aid access in 2014.  PSU/VT did some testing with Dept. of Ed.
FICAM under GSA, vs. agencies.  Agencies gradually gettiing their act together, starting to get their act together, ERA software actually supports authn context, using something like SiteMinder, academic medical centers, research and Obamacare going to require some higher LOA credentials.  Line up better with management and CIOs.

National Student Clearinghouse -- ongoing discussion with InCommon.  LIGO would love to have Silver in production today.  LIGO would like to require Silver.  CILogon -- production Silver service -- get a long term cert to access open science grid.

How many campuses have done gap analysis -- polling --  CIC poll done in Fall of 2011.

InCommon -- 25 - 30 schools -- 1.2 changes slowed people down -- kind of reworking -- looking for external services to drive further work -- look at assurance profiles as federally approved guidance for how you manage credentials on campus, way of documenting due diligence on credential and password management -- Chicago -- risk managment approach

VT working on an alternative means statement for hardware tokens

Gold -- more identity proofing -- not really developed yet -- trust framework provider in FICAM -- trust framework provider application process -- table at the end that has LOA3

Duo also developing an alternative means statement for their technology

Safenet, Duo, work with campuses to develop alternative means.  Duo is easier to implement because you don't have to hand out tokens.

Ficam -- various multi factor methods -- point to NIST-approved vendors

• Round Robin

Maryland -- U. strategic plan -- IdM component -- kind of strategy statement for that -- checklist for what Bronze would take -- having those discussions

Jeff -- Florida -- gap analysis report released -- new password policy going into effect -- passphrase 16 of 18 characters -- long pw would get you out of some of their complexity rules -- have to test the long passwords
developing IAM strategy for university -- areas that are working well -- registry, account management, access request system -- risks and requirements -- controls could use improvement -- also performance and 
efficiciency -- strategic IT plan, access and identity, need a little more that addresses access management, access control as opposed to accessibility

Educause IAM report -- information about IdM in higher ed -- for baselining, benchmarking -- 100 page report -- useful information

Strategic planning for identity management -- where we stand compared to everyone else -- want to be a top 10 public institution