Copy of TAC Meeting 2016-05-26

TAC Meeting 2016-05-26

Thursday, May 26, 2016
1:00pm ET | 12:00pm CT | 11:00am MT | 10:00am PT

Dial-in Information

+1-734-615-7474 (preferred) (use this number unless you pay for long distance)
+1-866-411-0013 (US and Canada) (use this number if you pay for long distance)

Access Code: 0139713#

eDial: http://edial.internet2.edu/call/0139713

SIP: sip:session_0139713@edial.internet2.edu

If you are on a phone lacking a mute button, you can mute your phone via eDial by pressing ##1. To unmute, press ##1 again.

Agenda

1. Agenda Bash
2. Review/approve minutes from F2F at Global Summit
3. Ops Update 2016-05-26 (Tom S)
4. TAC 2016 priorities (Steve C)
   1. Updates from Steve C, Jim J, Mark S on merging TAC goals with T&I priorities (see notes below)
   2. Proposed next steps (see notes below)
   3. (add to/revise as you like)
5. Update from GS meeting on TAC stance with regard to security vulnerabilities in federating software used in InCommon (notes) (Steve C)
   1. See write-up on lack of legal basis for staff de-listing metadata/changes needed from Nick
6. Request from Mike Corn for public response on Office365 identifier checking problem (Nick)
   1. Office365 is not an InCommon SP
   2. The problem is one that is generally applicable to InCommon SPs that don't check scope or strongly bind identifiers to issuers
   3. Tom wrote a blog about this: Scoped User Identifiers (unpublished)
   4. Question: How best to communicate to Participants/etc to achieve maximum desired impact?  What kind of framing is needed?
7. Request from Lukas Hämmerle on eduGAIN connectivity check results for InCommon (email thread) (Nick)
   1. eduGAIN Connectivity Check Service (for incommon.org)
   2. Dynamic Analysis of IdP Endpoints
      1. Question: should the functionality in "Dynamic Analysis of IdP Endpoints" be built-in to https://met.refeds.org so it can be useful to others, and we can get automated reports on these numbers?
   3. Question: Should InCommon staff communicate with IdPs highlighted in Lukas' report, Tom's report, or just tag them hide-from-discovery, or something else?
8. Update on discussion with Microsoft re: support for federation at Global Summit (Nick, Walter, Steve)
9. Spinning up Per-Entity Metadata Working Group - chair?  Recruiting? (??)
10. (your agenda item here)

Notes – "What TAC is Being Asked to Do, Work Items and Roadmap"

-- The blue and red list is a list of projects developed by I2 staff that touch on the three divisions involved in delivering T&I services (IC OPS, I2 Tech Services, ?? TIER). It does not represent all the work that InCommon does. Only the production technical services

-- Those lists represent the results of an internal prioritization process that involved I2/IC staff.

-- TAC is being asked to comment on the priorities and the projects in those lists, where we have significant concerns. "Does it look right? Are there things missing? Do we want to move things up or down, what has to change?"

-- We are being asked to develop a prioritized TAC Work list for the next period (rest of 2016, 12 months?).

-- The goal is to give the community a single InCommon work list that includes the blue, red, TAC, and (presumably) AAC's lists. It¹s not TAC or Ops, it's InCommon¹s list that can be planned out in a roadmap so folks can see what will be done and when.

-- In addition to TAC’s general advisory role, TAC should create a work list that concentrates on the investigation of issues, service  profiles, potential services, and the development of recommendations.

-- TAC should try to develop a roadmap for its activities, so the I2 planning cycle can plan for "deliveries".

Notes - Proposed Next Steps

1. review several items in the DRAFT TAC Work list in order to develop evaluation criteria
   1. On the previous call we discussed a potential list: 
      1. Value to Community
      2. Value to InCommon
      3. Short Term Priority
      4. Long Term Priority
      5. IC Staff involvement required for Working Group
      6. IC staff involvement required to take WG product to PROD
      7. Operational workload on IC staff after product reaches PROD

   2. We're wondering if this list is too heavyweight, given how our Working groups organize and do their worth

   3. We're wondering if "Value to Community" (defined several ways) would be a sufficient criteria
2. Over the next week TAC members would tag items to indicate the ones they feel are more important

Information

1. REFEDS R&S Clarification Proposal

Carryover Action Items

1. Paul Caskey will take charge of the goal “Making Federation Easier”

2. Steven Carmody and Michael Gettes will develop a short white paper to document the requirements and goals related to attribute release.

3. Ann West will develop a service-level agreement concerning the IdP of Last Resort for Leif Johansson and UnitedID

4. Steve Zoppi, Steve Carmody, and Paul Caskey will come back to TAC in two weeks with a proposal concerning "making Shib easier;" specifically about how to leverage work already done through TIER to attract schools and individuals willing to commit to development help.

5. Tom Scavo will run a comparison of the 47 SAML1-only SPs in the InCommon with the SAML1-only SPs currently in eduGAIN metadata.

6. Steve Carmody will follow up with spinning up documentation around Duo deployment best practices, may be homed in MFA interop WG

Minutes

Attending: Walter Hoehn, Mark Scheible, Kim Milford, Tom Barton, Jim Jokl, Steve Carmody, Ian Young, Janemarie Duh, Scott Cantor, Chris Misra

With: Dean Woodbeck, David Walker, Mike LaHaye, Tom Scavo, IJ Kim, Paul Caskey, Steve Zoppi, Ann West, Kevin Morooney

Minutes from May 17

Approval deferred pending language re: incident response (note - language changed on the minutes on the wiki).

Ops Update

Tom Scavo presented the Ops Update and shared a link to the issues that are unresolved or recently resolved.

An incident “Metadata signing process failed (2016-03-21)” has been resolved with a new metadata import and signing process. This process will avoid this problem, which resulted in the process of retrieving metadata from eduGAIN. Coincidentally, the process was put into use on May 20 and it worked.

The ops advisory group has identified four interfederation technical policy rules. These are ready but waiting on deployment:

1. Implement a whitelist of entityID prefixes: “http://”, “https://”, “urn:mace”

2. Filter all imported IdP entities with an endpoint location that is not HTTPS-protected

3. Filter all imported <mdui:Logo> elements (not entities) with a URL that is not HTTPS-protected

4. Filter all imported IdP entities with a faulty <shibmd:Scope> element


Update on Discussion with Microsoft

Nick Roy, Walter Hoehn, and Steve Carmody met with representatives from Microsoft during the Global Summit to follow-up on the interoperability spec and the lack of comment from Microsoft to date. The meeting included three Microsoft reps (education rep, program manager for Azure, and program manager for ADFS). None were familiar with the spec, so the session focused on ADFS and Azure and the mismatch between those products and the multifederation model. The meeting seemed productive as an educational session.

Security Vulnerabilities

There was discussion as a follow-on to the Global Summit discussion about the potential for an InCommon incident response process and the potential removal of entity descriptors or compromised key material from the InCommon metadata. This wa prompted by the approaching end-of-life of Shibboleth IdPv2. Nick drafted a document with the problem statement, the current lack of basis for any such action by InCommon, and a proposed solution.

The TAC proposes this sequence of events:

1. Kim Milford will ask the REN-ISAC technical advisory committee to review the document and make comments and recommendations. Chris Misra and Tom Barton volunteered as resources for questions or other information from the REN-ISAC TAC.

   1. A key question to ask is what actions they believe would trigger this policy

2. TAC will then review the REN-ISAC recommendations

3. TAC will likely propose to Steering a change to the FOPP, either incorporating this document or referring to it.

4. When this policy proposal is sent to Steering, it will include information about which people/groups have reviewed and had input.

At what point would this be vetted with the community (before or after going to Steering)?

TAC also needs to consider how InCommon would recognize the potential security issue and what the incident response looks like - what is the procedure?

TAC 2016 Priorities

At the Global Summit, the TAC asked a subgroup to make a recommendation on to move forward on prioritization (Steve Carmody, Jim Jokl, and Mark Scheible volunteered for the subgroup). The subgroup has met twice and has these recommendations:

1. TAC needs a comprehensive list of what InC intends to do in 2016, not just the TAC work list.

2. TAC should look at the list of priorities developed by InCommon/Internet2 staff and comment the prioritization, whether additional information is needed, and whether any items should be added/subtracted


The goal is to give the community a single InCommon work list that includes the priorities developed by the staff and the TAC work list (and, presumably, any AAC list).

(AI) The subgroup will develop a method for soliciting TAC feedback on the InC priorities list, as well as on the TAC work  list.

The suggestion is to look at three topics from the TAC work list in detail: 1) the “gold star program” - which recommended practices are a must?; 2) Support for non-SAML protocols (like OIDC); 3) Per-entity metadata - what is needed to go to production?

Given that TAC has a draft charter for a per-entity metadata working group, and all agree that this should be on the short list of things to accomplish, it was decided to constitute that working group. (AI) TAC will find a chair and constitute the WG.

Next Meeting - Thurs., June 9, 2016

1:00pm ET | 12:00pm CT | 11:00am MT | 10:00am PT