Versions Compared

Old Version 1

changes.mady.by.user Dean Woodbeck (internet2.edu)

Saved on

compared with

New Version Current

changes.mady.by.user Dean Woodbeck (internet2.edu)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

TAC Meeting 2016-05-26

Thursday, May 26, 2016
1:00pm ET | 12:00pm CT | 11:00am MT | 10:00am PT

Dial-in Information

+1-734-615-7474 (preferred) (use this number unless you pay for long distance)
+1-866-411-0013 (US and Canada) (use this number if you pay for long distance)

Access Code: 0139713#

eDial: http://edial.internet2.edu/call/0139713

SIP: sip:session_0139713@edial.internet2.edu

If you are on a phone lacking a mute button, you can mute your phone via eDial by pressing ##1. To unmute, press ##1 again.

Agenda

Div
stylefloat: right;
Note
TAC Minutes being taken live now!
  1. Agenda Bash
  2. Review/approve minutes from F2F at Global Summit
  3. Ops Update 2016-05-26 (Tom S)
  4. TAC 2016 priorities (Steve C)
    1. Updates from Steve C, Jim J, Mark S on merging TAC goals with T&I priorities (see notes below)
    2. Proposed next steps (see notes below)
    3. (add to/revise as you like)
  5. Update from GS meeting on TAC stance with regard to security vulnerabilities in federating software used in InCommon (notes) (Steve C)
    1. See write-up on lack of legal basis for staff de-listing metadata/changes needed from Nick
  6. Request from Mike Corn for public response on Office365 identifier checking problem (Nick)
    1. Office365 is not an InCommon SP
    2. The problem is one that is generally applicable to InCommon SPs that don't check scope or strongly bind identifiers to issuers
    3. Tom wrote a blog about this: Scoped User Identifiers (unpublished)
    4. Question: How best to communicate to Participants/etc to achieve maximum desired impact?  What kind of framing is needed?
  7. Request from Lukas Hämmerle on eduGAIN connectivity check results for InCommon (email thread) (Nick)
    1. eduGAIN Connectivity Check Service (for incommon.org)
    2. Dynamic Analysis of IdP Endpoints
      1. Question: should the functionality in "Dynamic Analysis of IdP Endpoints" be built-in to https://met.refeds.org so it can be useful to others, and we can get automated reports on these numbers?
    3. Question: Should InCommon staff communicate with IdPs highlighted in Lukas' report, Tom's report, or just tag them hide-from-discovery, or something else?
  8. Update on discussion with Microsoft re: support for federation at Global Summit (Nick, Walter, Steve)
  9. Spinning up Per-Entity Metadata Working Group - chair?  Recruiting? (??)
  10. (your agenda item here)

Notes – "What TAC is Being Asked to Do, Work Items and Roadmap"

...

Notes - Proposed Next Steps

  1. review several items in the DRAFT TAC Work list in order to develop evaluation criteria
    1. On the previous call we discussed a potential list: 
      1. Value to Community
      2. Value to InCommon
      3. Short Term Priority
      4. Long Term Priority
      5. IC Staff involvement required for Working Group
      6. IC staff involvement required to take WG product to PROD
      7. Operational workload on IC staff after product reaches PROD

    2. We're wondering if this list is too heavyweight, given how our Working groups organize and do their worth

    3. We're wondering if "Value to Community" (defined several ways) would be a sufficient criteria
  2. Over the next week TAC members would tag items to indicate the ones they feel are more important

Information

  1. REFEDS R&S Clarification Proposal

Carryover Action Items

  1. Paul Caskey will take charge of the goal “Making Federation Easier”

  2. Steven Carmody and Michael Gettes will develop a short white paper to document the requirements and goals related to attribute release.

  3. Ann West will develop a service-level agreement concerning the IdP of Last Resort for Leif Johansson and UnitedID

  4. Steve Zoppi, Steve Carmody, and Paul Caskey will come back to TAC in two weeks with a proposal concerning "making Shib easier;" specifically about how to leverage work already done through TIER to attract schools and individuals willing to commit to development help.

  5. Tom Scavo will run a comparison of the 47 SAML1-only SPs in the InCommon with the SAML1-only SPs currently in eduGAIN metadata.

  6. Steve Carmody will follow up with spinning up documentation around Duo deployment best practices, may be homed in MFA interop WG

Minutes

Attending: Walter Hoehn, Mark Scheible, Kim Milford, Tom Barton, Jim Jokl, Steve Carmody, Ian Young, Janemarie Duh, Scott Cantor, Chris Misra

With: Dean Woodbeck, David Walker, Mike LaHaye, Tom Scavo, IJ Kim, Paul Caskey, Steve Zoppi, Ann West, Kevin Morooney

Minutes from May 17

Approval deferred pending language re: incident response (note - language changed on the minutes on the wiki).Approved

Ops Update

Tom Scavo presented the Ops Update and shared a link to the issues that are unresolved or recently resolved.

...

  1. Implement a whitelist of entityID prefixes: “http://”, “https://”, “urn:mace”

  2. Filter all imported IdP entities with an endpoint location that is not HTTPS-protected

  3. Filter all imported <mdui:Logo> elements (not entities) with a URL that is not HTTPS-protected

  4. Filter all imported IdP entities with a faulty <shibmd:Scope> element


Update on Discussion with Microsoft

Nick Roy, Walter Hoehn, and Steve Carmody met with representatives from Microsoft during the Global Summit to follow-up on the interoperability spec and the lack of comment from Microsoft to date. The meeting included three Microsoft reps (education rep, program manager for Azure, and program manager for ADFS). None were familiar with the spec, so the session focused on ADFS and Azure and the mismatch between those products and the multifederation model. The meeting seemed productive as an educational session.

Security Vulnerabilities

There was discussion as a follow-on to the Global Summit discussion about the potential for an InCommon incident response process and the potential removal of entity descriptors or compromised key material from the InCommon metadata. This wa prompted by the approaching end-of-life of Shibboleth IdPv2. Nick drafted a document with the problem statement, the current lack of basis for any such action by InCommon, and a proposed solution.

...

TAC also needs to consider how InCommon would recognize the potential security issue and what the incident response looks like - what is the procedure?

TAC 2016 Priorities

At the Global Summit, the TAC asked a subgroup to make a recommendation on to move forward on prioritization (Steve Carmody, Jim Jokl, and Mark Scheible volunteered for the subgroup). The subgroup has met twice and has these recommendations:

...

Given that TAC has a draft charter for a per-entity metadata working group, and all agree that this should be on the short list of things to accomplish, it was decided to constitute that working group. (AI) TAC will find a chair and constitute the WG.

Next Meeting - Thurs., June 9, 2016

1:00pm ET | 12:00pm CT | 11:00am MT | 10:00am PT