...
Draft Minutes: Assurance Call 4-Dec-2013
Attending:
Ann West, InCommon/Internet2
Arnie Miles, Georgetown
Benn Oshrin, NYU/UC Berkeley/SCG
David Walker, InCommon
Mary Dunker, Virginia Tech
Jeff CapehardtCapehart, Univ. of Florida
Lee Trant, U Nebraska Medical Center
Eric Goodman, UCOP
...
Reading Bronze – Looking for some light reading? Join the community every other Thursday for a discussion of the Bronze Identity Assurance Profile. First call is December 5 at 3:00 pm. Next call scheduled for Thurs. Dec. 19 at 3pm ET. See the Assurance wiki for more info.
...
The AD Assurance group is making some edits to the updated AD Assurance Cookbook "InCommon Silver with AD Domain Services Cookbook" based on the suggestions received during the comment period of Oct. 2-Nov. 8, 2013.
Assurance Advisory Committee (AAC) Update
...
-Virginia Tech has been involved with the Federal Cloud Credential Exchange (FCCX pronounced F-6) effort. They've Virginia Tech has submitted some questions and are waiting for the response. One of the biggest issues: if there is no existing agreement with a trust federation like InCommon, then Virginia Tech would want some kind of contract in order to release attributes. The hope is that the FCCX gateway will have a relationship with InCommon so it will be possible to leverage the trust framework already in place.
...
Ann said that she and others recently had a call with Anil John, who is program manager for FICAM and chair of the FCCX technical committee. Anil supports having the FCCX joining InCommon. The FCCX is looking at an attribute bundle that would be released by IDP's accessing federal applications through FCCX. One . There are some issues to work through. For example, one of the attributes mentioned was "legal name" which is not an attribute in eduPerson. So there are some issues to work through.
Assurance Assurance Enhancements for the Shib IDP / Multi-context Broker Plugin
https://spaces.at.internet2.edu/display/InCAssurance/Shibboleth+Enhancements+-+Project+Status
David reported that this project the Shib Enhancements work (known as Multi-context Broker) is in the acceptance testing phase. All issues that were identified by the acceptance testers have been fixed by the developer. The acceptance testers are now reviewing these fixes to determine if they give their stamp of approval.
David presented on this the Multi-context Broker project a few times during ID Week and there was a was positive response. The initial purpose of the Shib enhancements was to address adding an indication of bronze or silver within the as part of authentication process. Campuses are now thinking about using the Multi-context Broker to improve integration with AD and for other purposes, as seen in these notes from Advance CAMP: https://spaces.at.internet2.edu/display/ACAMPScribe2013/Multi-Context+Broker+and+Bootstrapping+AuthN+Requirements
David reported that there is interest in a Duo authentication module for the Multi-context broker.
There There is also interest in a module to be used with X509.==
Failed Authentication Attempts Effort
Benn reported there is no update at this time on the Failed authentication -auth-attempts-counter work.
However, there was discussion of this topic at Advance CAMP: https://spaces.at.internet2.edu/display/ACAMPScribe2013/Tues+4.15pm+Monterey
Round Robin
Mary reported that Virginia Tech was certified under v 1.1 and is required to move to v 1.2 per the earlier announcement to the community.
Several issues around approved algorithms have required review as part of the 1.
They are hoping 2 certification.
Concerning the SHA-1 issue, the hope is that the SP 's with which the VA Tech Virginia Tech users interact will support SHA -2.
There is an effort to identify the relevant SP's for the VA Tech users and and be sure they those SP's can support SHA-2
Then VA Tech will implement the plug-in for SHA-2.
====
Jeff Capehart reported that University of Florida has done a gap analysis and an overall audit on IDM. There will be meetings upcoming with with the CIO to present the the report and discuss. The thinking is that there are some . Some areas that must be addressed in order to meet InCommon Silver. The SHA-1 and SHA-2 issues are of particular interest after today's discussion.
Use of eduroam is of interest at U. Florida. It was noted that eduroam does not ask for an AuthnContext, Authenication rather eduroam authentication is done via RADIUS servers.Ann noted that eduraom is a credential consumer (not a provider), so it does not fall under our current assurance program, but it does fall within the framework
Mary commented that that Virginia Tech does not use eduroam (they use another wireless server), and the use of RADIUS servers was considered a roadblock there.
to use of eduroam. Ann mentioned that a some schools have separate passwords for their wireless service. Va Tech does this too.
====
Lee Trant reported that U. of Nebraska Medical Center has just recently submitted documentation for Bronze certification.
The issues with SHA-1 and SHA-2 are of interest and it will be interesting useful to disucss discuss those on the "Reading Bronze" calls.
Ann noted the U. of Nebraska bronze application has been received by InCommon and a response will be forthcoming.
===
Eric Goodman stated that there is interest in the UC System in looking at assurance profiles and considering doing a self-audit.
There is a process of deciding A decision must be made on whether to refer to the assurance profiles that were developed along with UCTrust (before the Incommon Silver was developed) or to refer to the InCommon Silver profile for the purposes of the proposed audit. There is work discussion with the UC System CIOs to formalize and clarify the audit process.
One thing that was called out for the UC assurance profile-Reading Bronze