Notes and Action Items, AAC Call of 15-March-2017

 

    

Attending:

Brett Bieber, University of Nebraska (chair)

Ted Hanss, University of Michigan

Joanna Rojas, Duke

Ann West, Internet2

Emily Eisbruch, Internet2

 

Action Items

[AI] (Brett) put the feedback together from the NIST 800-63/ Digital Identity Guidelines and submit to NIST
 by March 31, 2017 deadline (update: Jim Jokl is doing this)

[AI](Ann) chat with Tom on the topic of NIST/FICAM plans 

[AI] (Brett) will update the Admin Functions section of the flow diagram on  Baseline Expectations Community Dispute Resolution Process  to clarify how the process of automatic notification could work, around metadata accuracy for example. Also in Second Stage, Brett will expand the “HAS MET” diamond to include a process flow direction for a security incident.


[AI](Ann) continue to work on FOPP  proposed updates for baseline expectations, with focus on Federation Operator section

Discussion

FICAM update
In recent conversations with NIST representatives, it was stated that once the SP 800-63/Digitial Identity Guidelines Federal Agencies are updated, the plan is that federal agencies will have one year to comply. There are implications for trust framework providers like InCommon. Most likely FICAM would have new spec and InCommon would draft a response. Then there would likely be an audit. Last time this occurred, the audit took 6 months. Then InCommon AAC would work with our Bronze certified campuses to ensure that they stay in compliance.

This might impact AAC review of InC Assurance program.

[AI](Ann) chat with Tom on the topic of NIST/FICAM plans. 

 

 Baseline Expectations

Baseline Expectations for Trust in Federation

◦ Draft Implementation Plan - not complete
◦ Draft Processes to Implement and Maintain Baseline Expectations

-Discussion of Diagram on Community Dispute Resolution Process

https://docs.google.com/drawings/d/14RkHiAkANWMLLIIyTxjjMz7jUznASc8yObHbRxxwshg/edit?usp=sharing

Proposed dispute Resolution Process involves
 using tickets to track changes
 and creating a docket of tickets
. There would be  notification to community if it becomes necessary to remove metadata
. It could take time to resolve issues (perhaps 2 months in some cases)
. It was noted the two months to resolve a concern could be a lot from the Service Provider point of view
.
Q: For dispute resolution that gets to stage of contacting campus, would InCommon staff connect with campus OR would AAC connect with campus?
 It was suggested that AAC members would contact the campus
. 

There was discussion of the whether InCommon should mark metadata of orgs being reviewed for a baseline violation. 
A significant violation could be, for example, selling info of users in an IDP. However, this could be categorized as a security incident. 
It's important to be aware of difference between security incident and assurance dispute
. It would be helpful if the diagram included an arrow to a  process for handling a security incident
.

[AI] (Brett) will update the Admin Functions section of the flow diagram on  Baseline Expectations Community Dispute Resolution Process  to clarify how the process of automatic notification could work, around metadata accuracy for example. Also in Second Stage, Brett will expand the “HAS MET” diamond to include a process flow direction for a security incident.

Proposed changes to FOPP for Baseline Expectations
Progress is being made on this. We need to focus on how we increase trust over time
. For the next AAC call, Ann will add Federation Operator section
.


SP 800-63 Consulation

Consultation for SP 800-63 / Digital Identity Guidelines
The consultation closed March 15
, 2017.
[AI] (Brett) put the feedback together from the NIST 800-63/ Digital Identity Guidelines and submit to NIST
 by March 31, 2017 deadline (update: Jim Jokl is doing this)

MFA profile consultation

REFEDs consultation open now through March 27.  Identifier to be assigned is “https://refeds.org/profile/mfa”. 

◦ Blog on MFA profile work, by Tom Barton, will be part of March 2017 TIER Newsletter


 https://www.internet2.edu/blogs/detail/13324


Plan for Community Assurance call of Wed. April  5,  2017 at noon ET?

◦ Idea 1:

Focus on FICAM  and upcoming changes?


◦ Idea 2:

◦ Discuss issues around baseline expectations implementation
◦ [AI] ( Brett) will reach out to TomB to be sure he could attend if we have an Assurance call on Wed April 5
.

Update: Tom not available. This Wed April 5, 2017 Community Assurance call is cancelled.

 Global Summit AAC Face-to-Face April 23-26

◦ AAC F2F Tues. April 25, 2:30pm - 4pm


 

Next AAC call: Wed. March 29, 2017 at 4pm ET