Attending: Mike Grady, Janemarie Duh, Matt Brookover, Mary McKee, Judith Bush, Keith Wessel, Heather Flanagan, Eric Goodman
With: David Walker, Steve Zoppi, Kevin Morooney, Albert Wu, David Bantz, Les LaCroix, Dave Shafer, Ian Young, Shannon Roddy, IJ Kim
Intellectual Property Reminder - All Internet2 activities are governed by the Internet2 Intellectual Property Framework.
Public Content Notice - TAC minutes are public documents. Please let the TAC and note taker know if you plan to discuss something of a sensitive nature.
TAC Membership
- Welcome to Les LaCroix, the new CACTI liaison to TAC
- Tom Demeranville has resigned form TAC
T&I and Ops Updates
- Nick will share info on MDQ next time
- MRPS - Metadata Registration Statement - Albert has revised and published this document to comply with eduGAIN. The new version is at https://incommon.org/federation/mrps/. There are a few additional minor corrections needed, which will mean an updated document.
Working Groups and TAC/CTAB/CACTI collaboration Updates
OIDC Deployment Working Group is in the process of closing down. Nathan Dors is drafting a message to that effect.
REFEDS Federation 2.0 is preparing to have the teams that have developed scenarios report to the full working group and the next step.
IdP as a Service - Results are back from the survey and reviewed by the working group. The WG will publish some anonymized results from the survey on the wiki for review. The WG is drafting a summary, based on the answers to the survey, as to what the community is looking for.
CACTI - Matthew Economou will be the TAC representative to CACTI.
CTAB - Continuing to discuss survey and ready to push out a blog and email notice on the results. Strong support for requiring good encryption of connections (TLS1.2). There is pretty good support for including an error URL in IdP metadata, as well as support for SIRTFI. Less enthusiasm, but some fairly strong support for REFEDS MFA profile, and the Research & Scholarship category attribute release.
Certificate Service Update - Sectigo misissued about 1,200 certificates to subscribers of the InCommon Certificate Service affecting 84 institutions. These will need to be reissued, with old certs revoked within 5 days (which will be Sunday morning). We’ve been working with Sectigo to design a process to get all the schools into the queue, and working with the schools to make sure they are aware of this and what they need to do. These are all EV certs and Sectigo is also revalidating, which makes the process slower.
BaseCAMP Report - We had 63 attendees (not trainers or staff). About 30% were women. A high proportion of attendees were new to the field. We had very good feedback on the flow of the meeting. Kevin did a nice job of opening each day with humor and getting people engaged. From a community perspective, we generated a lot of interest. The meeting arc was: 1) Intro to IdM, 2) intro to federation, 3) discussion of specific challenges related to federation, and 4) discussion of solutions and software. The faculty-led dinner conversations on Tuesday were also a big hit.
Seamless Access Coalition Pilot
Heather provided an update on the Coalition for Seamless Access, which operates SeamlessAccess.org (the successor to the RA-21 effort). The goal is to improve the user experience during the discovery process (trying to find and log in from the home institution). The question is, 1) How should InCommon be involved with this? This has the potential to be the next iteration of the InCommon discovery service. 2) Seamless Access Coalition is looking for a host to backup GEANT and to provide the service in a different part of the world.
Albert provided a demo.
Discussion -
- The privacy concerns from librarians centers on SAML. Their problem with Seamless Access is that it enables a gateway to federated identity and librarians perceive federated identity as requiring attribute release. Just having a central discovery service also raises privacy concerns from some.
- The Seamless Access site should address privacy on its top page.
- Mary - extended congratulations on developing something relevant enough to trigger this discussion of federated identity, which needs to happen.
- The concern is that somehow there can be a mapping between the person’s identity, IP address, content that was accessed. There is also a belief that the use of a proxy somehow anonymizes, which it may not.
(AI) TAC members review questions Albert posed about this in a list email, and provide answers.
Heather also provided this via the TAC email list:
The coalition is forming two working groups: an Attribute Release Profile working group and a contract language working group.
The Attribute Release Profile working group will work on profiles that explicitly state what attributes may be released to support access with complete anonymity, versus access that allows personalization. The contract language working group will focus on creating standardized language that librarians and other interested parties can use in their contracts with SPs to restrict what attributes that SP may ask for during a federated authentication and authorization workflow. We hope to have many librarians and research collaboration participants represented in both working groups.
Another item in progress is a Terms of Service that will clearly state what SPs can and cannot expect from and do with this service. Hopefully, that will also help mitigate some of the concern by non-SPs about how a service like this might impact the privacy of their users.
Nominations
- Developing a timeline - Jessica will be in touch about this.
- We will develop the timeline and a chart of potential nominees in the wiki.
Next Meeting
- Review the work items for the rest of 2019 and into 2020
- https://spaces.at.internet2.edu/display/inctac/InCommon+TAC+2019+Work+Plan
- Badging discussion update (Janemarie)
- Deployment Profile WG 2.0? (Keith W)
- Test Federation
- Convene working group to gather requirements in early 2020
- Thoughts on timing?