Next steps?
InCommon Assurance Program Review (Tom and Ann)
Ann: the Federal approved FICAM program has not been broadly adopted by higher ed or by the federal agencies. The AAC charter was written to support that FICAM program. The program review will examine this. Charter may need tweaking. If AAC charter is to emphasize trust building activities, then the AAC membership may be altered.
We may not need two auditors on the AAC moving forward, if the emphasis is on trust components that do not include an audit requirement. We may want security experts to join the AAC.
Tom: the goal for AAC membership may be to be representative of the stakeholders.
Joanna is happy to help communicate the changed role of auditor on the AAC as needed
Q: How to start the program review?
A: Ask questions around value proposition and efficacy of the FICAM program, keeping in mind the effort and cost to InCommon of the program
Q: need more background on cost to InCommon
A: Internal process that InCommon must maintain to continue the certification role. In 2016 we had Nebraska and VA Tech renew bronze, InCommon had to track and do communication and record keeping. So staff time is a key part. InCommon needs to send people to the FICAM meeting in March 2017
Opportunity cost to InCommon. Effort could be put elsewhere if it was not going to Bronze and Silver. The perception of InCommon Assurance is now closely identified with bronze and silver and could potentially be moved elsewhere
Brett: if we can demonstrate need for a shift in InCommon Assurance, through program review, this will be good for the community understanding.
Brett: lack of audit is an issue for more trustworthy profiles. Concern about all the self-attested profiles and the trustworthiness of orgs to treat these seriously and do the right thing
Tom: Peer review process has promise. Peer review may be part of baseline expectations and may be part of the REFEDs assurance process. Will be interesting to build/implement the peer review process
[AI] (Ann and Brett) develop questions for InCommon program review by next AAC call
Baseline Expectations
Steering has accepted the AAC’s baseline expectations.
Good discussion at Steering call in Dec. 2016 where Brett and Kevin presented.
Steering had a few questions about the implementation plan
Tom intends to take next steps on Baseline Expectations implementation plan
Tom hopes to work on this towards end of January
Ann notes that communications to community will be required.
Documentation will be needed to guide on how to implement/consider
Will need to know if there are changes required to the Federation Manager (ie checkbox to indicate that an IdP/SP follows baseline practices)
Assumption that no tag will be needed
Process will be needed for an org to file a complaint about non compliance of another org
MFA Interop Profile - status
MFA WG produced excellent work including profile
REFEDs WG looked at it and a consultation is coming soon
After consultation, there will be a REFEDs identifier (URI) for the MFA Interop Profile
There is no entity tag involved
REFEDS MFA Profile doc under review by REFEDS Assurance WG. Short and should be ready for Consultation soon. Identifier to be assigned is “https://refeds.org/profile/mfa”.
How should communication to the community work about the MFA Interop profile?
We should get back in touch with Karen Herrington when the URI is approved
See if the MFA Interop WG wants to be involved in education and adoption and promotion efforts
Ann, Tom and Dean will work on communications and promotions around the MFA profile
Bundle with baseline expectations?
Do an IAM Online webinar on “how trust is changing across InCommon, how to participate in that”
Report-out on Wed Jan. 4, 2017 Assurance Call
on REFEDS Assurance Working Group with Mikael Linden
Mikael did a great job of explaining the REFEDs WG status and how they’ll be moving to the next stage of consultation
Tom: there was feedback from the Assurance call that the REFEDs WG put into their work product at a subsequent call last Wednesday
Brett: does the InCommon AAC have enough participation in the REFEDs Assurance WG?
Brett plans to join the REFEDs assurance calls when possible
Plans for Upcoming Assurance Calls
Wednesday, Feb 1 at noon ET - cancel this call
Wednesday, March 1 at noon ET
Should discuss Baseline expectations plus MFA Interop profile and changes coming at some future Assurance call -- later in 2017
Other dimensions to Assurance?
2-November-2016 Assurance Call (2017 AAC Workplan Discussion)
News from partner efforts
REFEDS -
Hope in January REFEDS will be ready to roll out the MFA Interop Profile. The profile will be in the REFEDs namespace
SIRTFI
Others
Next AAC call: Thursday, January 26, 2017 (note this was rescheduled to Wed. Feb 1)