Versions Compared

Old Version 15

changes.mady.by.user Emily Eisbruch (internet2.edu)

Saved on

compared with

New Version Current

changes.mady.by.user w4ufl@ufl.edu

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Name spelling correction

...

Slides used for this Assurance Call are here.

Attending:

Ann West, Internet2
David Walker, Internet2
Steve Devoti, UW-Madison/AAC Chair
David Walker, Internet2
Mark Jones, UT Houston
Eric Goodman, UCOP
Benn Oshrin, Spherical Cow Consulting
Randy Miotke, Colorado State University
Susn Neitsch, Texas A&M University
Tom Golson, Texas A&M University
Jeff CapehardtCapehart, University of Florida

Discussion

...

Today's call will focus on InCommon Assurance and US Government Discussions Slides used for this Assurance Call are here.

Topics:

  • Update on the FICAM Program
  • Implications on the InCommon Assurance Program
  • Next Steps for the Assurance Advisory Committee (AAC)

...

FICAM was based on NIST 800-63.
Currently there are 3 FICAM Approved Trust Framework Providers:

...

FICAM 1.0 spec and related documents focused on identity provider and credential practices.
Since With the approval of FICAM 2.0, there are changes. FICAM 2.0 also encompasses:

...

Much progress in the discussions with FICAM. See slide 6 for details.

componentized servicesComponentized Services

An important topic is componentized services (see slide 7 and 8 for details )

Discussions with NIH and NSF

See slide 9

InCommon's discussions with NIH and NSF resulted in FICAM accepting our standardized attribute bundle (R&S) rather than the attributes FICAM had been requiring (which has included legal name and DOB)

GSA (home agency for FICAM) has joined InCommon,  GSA will likely be the focal point for other agencies.

Community Profiles

See Slide 10

  • In addition to the FICAM-based Bronze and Silver profiles, there are community needs, such as for an MFA profile.Ability to assert Multi Factorness to a provider like Workday, would be triggered based on a need to access a financial record.
  • Also need to replace the POP approach of "Post your Practices" and have baseline practices

Next Steps for the Assurance Advisory Committee (AAC)

Steve Devoti, AAC chair, reported

  • The AAC is working to revise its charter to do more than manage the assurance process for certification. This does not expand a lot the AACs charge. But it is broader than managing a process.
  • The AAC is looking at what needs to be modified to increase trust within the federation. The goal is to get people on the road to higher trust and higher assurance.
  • We have received feedback (from our SP partners) on the lack of usefulness of the POP and the lack of compliance. Some InCommon participants are not updating their POPs.
  • We have talked about decomposing the assurance profiles into trust marks to drive incremental progress within the federation.
  • There is work at GA Tech on Trust Marks https://trustmark.gtri.gatech.edu/the-pilot/

Q&A

EricG asks, there is Vectors of Trust group.

https://www.ietf.org/mail-archive/web/ietf-announce/current/msg13215.html

The  The UC system is are is taking a similar approach in standards, for incremental progress short of silver.Is  Is there a sense of what the scope of the trustmarks (being discussed by the AAC_ ) might be?  Wants to do things that would map to trustmarks.  Are there specific targets that would be  be useful for us to use?

SteveD: The AAC's work on this is at the beginning. The AAC has not yet taken our InCommon assurance profiles and deomposed decomposed them into trust marks yet.

The GA Tech people have GTRI group has looked at breaking 800-63 into trustmarks.

...

For a community MFA profile, there are decisions on how granular to be. There are apps that want MFA. Some campuses have MFA and some don't. Under what circumstances would the SP application trust that MFA had been done by the campus, Versus versus the app requiring its own MFA. Don? We don't want  want to have campus MFA plus ALSO application MFA.

It was noted that with a light/simple definition of MFA trustmark (MFA? Y or N), there are concerns. Example: an SP that remembers you the user for 30 days (, with no forced reauthentication)re-authentication. There would be a need to disallow that kind of practice.

TIER

Question: How does the TIER work related to Assurance?
Info on TIER:https://drive.google.com/folderview?id=0BzRHp0xie6WFUVRqQXBwd3VSa1U&usp=sharing

Ann: TIER aims to accelerate IDM across HE. We need to help researchers get access to services,including participants in a VO. Also need to accelerate abililty ability for schools that don't have an effective IDM system and need one to access federated services.

...

Ann: Don't know yet. TIER is in an early stage. Requirements are not yet set by the community.

Next Assurance Implementers Call: Jan. 2015 (no call in Dec. 2014)

===

Emily Eisbruch, Technology Transfer Analyst
Internet2
emily@internet2.edu
office: +1-734-352-4996 | mobile +1-734-730-5749