Draft Minutes, Assurance Implementers Call, 10-June-2013

Attending
Ann West, InCommon
Mark Rank, UCSF
Dave Langenberg, U. Chicago
Brett Bieber, Univ. of Nebraska, Lincoln
Jeff Capehart, University of Florida
Lee Trant, U of Nebraska Medical Center (UNMC)
David Walker, InCommon
Emily Eisbruch, Internet2, scribe

DISCUSSION

Shib IdP Enhancements

https://spaces.at.internet2.edu/display/InCAssurance/Request+for+Proposal+-+Assurance+and+MFA+Enhancements+to+Shibboleth+Identity+Provider

The Assurance and MFA Enhancements to Shibboleth Identity Provider RFP was awarded to Paul Hethmon, who has been involved in the Shibboleth project. Information on this work will be posted on the the Shibboleth wiki. This URL will be shared with the Assurance list. The goal is to have the work completed by end of 2013. The RPF has acceptance criteria that 3 campuses will test the code, and we hope to identify the 3 testing campuses within a few weeks. Most likely testing will take place in September or October. David will send out a solicitation for testing campuses. Let David know if you are interested in helping with the testing.

Assurance Advisory Committee - Recent Activities

The AAC is working on a proposal (to be sent to InCommon Steering) to make bronze the baseline for participation in the InCommon Federation.

Process for Re-Certification from 1.1 to 1.2 - Ann reported that the AAC has been working on the re-certification requirements for migration from version 1.1 to version 1.2, including compliance requirements and timeframe for upgrading.  The AAC currently has a "Process for Re-Certification" recommendation to InCommon Steering for review.  Review is expected at the end of July. When approved, the "Process for Re-Certification" requirements will be posted on the wiki.

Counting Failed Logins Update

https://spaces.at.internet2.edu/display/InCAssurance/Failed+Authentication+Counter+Strawman

The group looking at counting failed password authentication events (led by Benn Oshrin) had a call on June 20. Due to scheduling issues, the plan is to begin further work in August. Benn will announce the next call on the Assurance list.https://spaces.at.internet2.edu/display/InCAssurance/Discussion+Items+%28Counting+Failed+Logins%29

Brett was on the June 20 call.  At U. Nebraska, the goal is to implement a system for counting failed logins by Aug. 1.  Nebraska has a target to have achieve bronze by Aug. 1.  Brett has an implementation counting the LDAP failed authentication attempts. This work is posted on GITHUB and Brett has shared some information on the wiki at https://spaces.at.internet2.edu/display/InCAssurance/Component+Implementation+Guide

However Nebraska has challenges around identifying the proper event codes in Active Directory. Brett has discussed the AD event codes issues with Tamara and others at U. Chicago.  Brett is interested in discussing the AD issues with other campuses also. Ann suggested writing a note to the assurance list to ask if anyone can help with the AD code.  The AD topic came up at the CIC IDM meetings taking place this week in Columbus.  Brett may want to talk about these issues with the AD Assurance group.  Brett will be in touch with Ann to arrange this.https://spaces.at.internet2.edu/display/InCAssurance/AD+Alternative+Means+-+2013

Assurance Use Case

Ann stated that the Business School of a large research institution recently approached InCommon with a new use case. At this institution, Central IT has stated that the Business School needs to be Bronze certified. The Business School has an IDP, but does not need to be in InCommon metadata, it needs  to conform to the bronze profile to achieve security goals. So at this institution, Central IT is outsourcing the security/ credential requirement to InCommon.

Ann has encouraged the Business School to talk with Central IT about having the institution (not the Business School) sign the assurance addendum with same signature authority as signed the InCommon POP. Further, if they want InCommon to manage the assurance re-certification every 3 years, they would need to put the Business School IDP in the InCommon metadata. This would mean the institution would need to pay for a second IDP, for the Business School.

David suggested that it would make sense for the institution to get the bronze certification instead of just the Business School. The IDPO is the institution. The institution will need to  explain to users which IDP to use for which situations.

Ann asked if InCommon Assurance should consider a reduced free for cases where there is no IDP, forcases where an institution wants a stamp of approval.   David suggested that this makes sense, it would be like an audit report saying "yes we agree with management's assertion that they meet the requirements for the assurance program."  It was noted that without a SAML IDP it is not possible to be bronze certified under 4.2.7.  

Brett: The University of Nebraska system is creating a federation, and has discussed using the InCommon standards, though this is not yet in place yet

Round Robin

Jeff Capehart stated that at University of Florida, the password policy has been revised adding some new options around use of longer passwords. The new policy still complies with the entropy requirements

Lee stated that UNMC is examining the different levels of assurance currently in use.

Brett, stated that the CIC IDM Meetings in Columbus have been interesting, including
- discussion of looking at Bronze as the stepping stone to Silver.
-discussion of which campuses, in addition to U. Nebraska at Lincoln, would be willing to help testing the SHA-256 issues.

Next Call: Wed. Aug 7 at noon ET