Attending: Dee Childs, Celeste Schwartz, Michael Gettes, Melissa Woo, Ted Hanss, Dennis Cromwell, Klara Jelinkova, Sean Reynolds, Dave Vernon
With: Kevin Morooney, Ann West, Steve Zoppi, Von Welch Brett Bieber
(AI) Kevin Morooney will write a short summary of a proposed way forward for all InCommon participants to receive Shibboleth support. He will begin the conversation with the Consortium board at a meeting on October 11.
(AI) Steve Zoppi will share an updated document that incorporates a gap analysis of the Shibboleth needs, and the costs for different scenarios of addressing the gaps.
Minutes from September 11 approved via the wiki.
The subcommittee (Kevin, Sean, Ted, Michael, Marty) met and discussed both sustaining Shibboleth by asking InCommon participants to join the Shibboleth Consortium, as well as addressing the problem of support workload drawing developers away from development.
The subcommittee asked Kevin to explore informally whether the Consortium would be open to a model in which InCommon provide funding for all of its participants and all participants would receive some level of software support. The model would be such that the per-institution fee would be at a lower rate than each participant joining the Consortium but would still provide significant resources for Shibboleth.
Subsequently, Kevin has discussed the concept in separate conversations with Justin Knight (who is the Consortium operator) and Josh Howlett, the JISC representative on the Consortium board. Both were intrigued with the idea and believe it is something worthy of discussing with the Consortium board. (AI) Kevin is going to write a short summary to use to begin conversations with the Consortium board at the next meeting (October 11). This will also be an item on the Trust and Identity PAG agenda at TechEx.
(AI) Steve Zoppi will share an updated document that incorporates a gap analysis of the Shibboleth needs, and the costs for different scenarios of addressing the gaps.
Steering raised several other points to incorporate into the discussion
Three members have terms ending this year and all eligible for another term. Dennis Cromwell will be resigning at the end of the year because of new duties at Indiana University. There is a list of potential nominees under development.
The proposed process is the same as last year:
Brett Bieber, chair of the Assurance Advisory Council, outlined the change of AAC focus that has developed over the last two years, with a large amount of time spent developing Baseline Expectations for Trust in Federation and the associated implementation plan. This program will require changes to the InCommon Participation Agreement and the Federation Operating Practices and Policies (FOPP), which will involve Steering.
The AAC also will propose changes in its charter, including the roles needed on the committee. The group was originally charged with supporting the assurance program and the resulting Bronze and Silver assurance profiles. To date, however, there are only five Bronze institutions and no Silver institutions. With the migration towards raising trust in the federation, there are different needs (security, for example).
Tom Barton talked with the five Bronze institutions and found the value of the profile is as a toolkit and a checklist for trust practices. They also said the MFA profile is helpful and SIRTFI will be helpful. They would also like to see an identity-proofing profile or guideline.
In addition, NIST has updated 800-63 to 800-63-3 and FICAM (Federal Identity, Credential, and Access Management) will require its trust framework providers (InCommon is one) to move to the new NIST 800-63-3 digital identity guidelines. This would require significant time and resources for InCommon and, as of yet, no federal agencies are asking for this. It would likely take a year or year-and-a-half to change the InCommon profiles to meet the new requirements (which are not yet documented).
Von said his conversations with research agencies and services is that they place far more emphasis on having a way to request two-factor authentication, rather than the specific assurance profiles.
Brett reiterated that the key role for Steering at this point will be to consider revising the AAC charter, and consider the proposed changes to the Participation Agreement and FOPP when those are ready (likely in the next two months).