Notes: InCommon Assurance Monthly Implementers call for 5-Nov-2014

Slides used for this Assurance Call are here

Attending:

Ann West, Internet2
David Walker, Internet2
Steve Devoti, UW-Madison/AAC Chair
Mark Jones, UT Houston
Eric Goodman, UCOP
Benn Oshrin, Spherical Cow Consulting
Randy Miotke, Colorado State University
Susn Neitsch, Texas A&M University
Tom Golson, Texas A&M University
Jeff Capehardt, University of Florida

Discussion

The October 2014 Assurance Call was an IAM Online featuring University of Nebraska and UMBC presenting on their experience with InCommon Bronze certification and security. The archives are linked from here http://www.incommon.org/iamonline/

Today's call will focus on InCommon Assurance and US Government Discussions

Topics:

FICAM

FICAM was based on NIST 800-63
Currently there are 3 FICAM Approved Trust Framework Providers:

http://www.idmanagement.gov/adopted-trust-framework-providers

FICAM 1.0 spec and related documents focused on identity provider and credential practices.
Since the approval of FICAM 2.0, there are changes. FICAM 2.0 also encompasses:

Token Manager + Identity Services Manager = Credential Service Manager

FICAM 2.x includes federation requirements

Question arose: Can't InCommon handle this for the InCommon IDPs?

Much progress in the discussions with FICAM. See slide 6 for details.

componentized services

An important topic is componentized services (see slide 7 and 8 for details )

Discussions with NIH and NSF

See slide 9

InCommon's discussions with NIH and NSF resulted in FICAM accepting our standardized attribute bundle (R&S) rather than the attributes FICAM had been requiring (which has included legal name and DOB)

GSA (home agency for FICAM) has joined InCommon,  GSA will likely be the focal point for other agencies.

Community Profiles

See Slide 10

Steve Devoti, AAC chair, reported

EricG asks, there is Vectors of Trust group.

https://www.ietf.org/mail-archive/web/ietf-announce/current/msg13215.html

The UC system is are is taking a similar approach in standards, for incremental progress short of silver.

Is there a sense of what the scope of the trustmarks (being discussed by the AAC_ might be?  Wants to do things that would map to trustmarks.  Are there specific targets that would be  useful for us to use?

SteveD: The AAC's work on this is at the beginning

The AAC has not taken our assurance profiles and deomposed them into trust marks yet.

The GA Tech people have looked at breaking 800-63 into trustmarks.

See:
https://trustmark.gtri.gatech.edu/concept/#framework-example-ficam

See pages 44-45 here:https://trustmark.gtri.gatech.edu/wp-content/uploads/2014/01/Trustmark-Pilot-Concept-Slides-for-IDESG-Briefing-2014-01-16.pdf

MFA Profile

For the MFA profile, there are important decisions on how granular to be.

For example, there are apps that want MFA. Some campuses have MFA and some don't.
Under what circumstances would the SP application trust that MFA had been done by the campus, Versus the app requiring its own MFA. Don't want campus MFA plus application MFA.

It was noted that with a light/simple definition of MFA trustmark (MFA? Y or N), there are problems that arise. Example: an SP that remembers you for 30 days (no forced reauthentication). There would be a need to disallow that kind of practice.

TIER

Question: How does the TIER work related to Assurance?
Info on TIER:https://drive.google.com/folderview?id=0BzRHp0xie6WFUVRqQXBwd3VSa1U&usp=sharing

Ann: TIER aims to accelerate IDM across HE. We need to help researchers get access to services,including participants in a VO. Also need to accelerate abililty for schools that don't have an effective IDM system and need one to access federated services.

Question: Can a campus be in TIER and not do Assurance?

Ann: Don't know yet. TIER is in an early stage. Requirements are not yet set by the community.

Next Assurance Implementers Call: Jan. 2015 (no call in Dec. 2014)

===

Emily Eisbruch, Technology Transfer Analyst
Internet2
emily@internet2.edu
office: +1-734-352-4996 | mobile +1-734-730-5749