CACTI Call Tuesday, January 19, 2021
Attending
Members
- Rob Carter, Duke, (Chair)
- Les LaCroix, Carleton College (Vice-Chair)
- Marina Adomeit, SUNET
- John Bradley, Independent
- Margaret Cullen, Painless Security
- Joshua Drake, Indiana University's Center for Applied Cybersecurity Research
- Matthew Economou, InCommon TAC Representative to CACTI
- Kevin Hickey, Detroit Mercy
- Marina Krenz, REN-ISAC
- Barry Johnson, Clemson
- Jeremy Perkins, Instructure
- Chris Phillips, CANARIE
Internet2
- Kevin Morooney
- Ann West
- Steve Zoppi
- Nic Roy
- Emily Eisbruch
- Mike Zawacki
Regrets
- Stoney Gan, University of South Florida
- Michael Grady, Unicon
- Bill Thompson, Lafayette College
Discussion
- Internet2 Intellectual Property Agreement reminder
- CACTI Charter pointer
OpenID Foundation Browser Interactions Working Group (Nic)
- The OpenID Foundation Browser Interactions Working Group recently held its first meeting.
- This is a sub committee of the AB/Connect Working Group
- The Browser Interactions WG is discussing changes the browser vendors are making to browser handling of cookies in the name of privacy protection.
- The changes present challenges for SSO protocols that use those cookies.
- The changes of concern are happening in Google Chrome world. Microsoft Edge is also impacted. Apple is also making changes to ITP that impact this.
- First call of the Browser Interactions WG was last week,
- There was strong attendance, including industry representation.
- From CACTI, Chris Phillips, John Bradly, and Nic participated. Would be good to have additional participation.
- If interested in this effort, sign up for the openid-specs-ab (“Attribute Binding” aka OpenID Connect) working group
- Calls are Wednesdays 2pm ET
- Nic shared the call invite with the CACTI list
- There is also a slack channel on the Internet2 slack where InCommon TAC is discussing this.
- Contact Nic if you would like an invitation to that Slack channel
- John Bradley is encouraging Google privacy sandbox people to participate in the Browser Interactions WG.
- Privacy sandbox may be overreaching beyond cookies
- Google may be interested in filtering authentication transactions to limit IDPs from harmful actions
- There may be a need to use in-browser privacy sandbox hooks
- But if those hooks don’t support SAML assertions, could be blocked completely
- Privacy sandbox should support different sorts of assertions, not just ID Tokens/JWT (JSON Web Tokens )
- There's a risk that SAML will be squeezed out
- Timeline for the changes? There is already a build.
- Like the SameSite Cookie rollout, the risks are real
- Samesite cookie issue arose somewhat suddenly
- In this case we have more notice
- In future Internet2 or CACTI may want to have a formal relationship with the OpenID Foundation Browser Interactions Working Group
- Charter of OpenID Foundation Browser Interactions Working Group is to draft a formal response from OIDC Foundation to Google and other concerned parties.
- Need to sign IPR agreement for membership in OIDC Foundation
GÉANT T&I Incubator 1H2021 board meeting on Jan 25, 2021 (Nic)
- R&D Group, Nic participates
- See: https://wiki.geant.org/display/gn43wp5/TII+Call+for+Ideas
- Dashboard: https://wiki.geant.org/display/gn43wp5/Incubator+Dashboard
- Let Nic know if you have ideas for R&D items for first half of 2021, via the CACTI discussion Slack channel
- Marina is involved with the incubator for GEANT.
- The incubator is looking at topics in 6 month frame
- There is a call with the community every 6 months to propose topics
- Look at technologies and feasibility, may produce reports, may implement a small proof of concept,
- They prioritize projects of interest to wider community
Educause Security Professionals Conference (virtual) (via Jill G.)
- June 8 - 20, 2021
- IDM track will be available this year
- Call for Proposals due out in early February
Cloud Services Cookbook refactoring in REFEDS (Guest- Keith Wessel, chair of InCommon TAC)
- Cloud Services Cookbook Location in REFEDS wiki
- There is an effort to revise/update the Cloud Services Cookbook
- Cloud Services Cookbook was produced by the Big Ten Academic Alliance, then the CIC, nearly six years ago, and only minimal efforts have been made since then at updating it.
- Cookbook was written to be conversational, using plain English
- Some material needs updating
- For example there are mentions of older identifiers
- edupersontargetedID is now deprecated
- Doesn’t include the new OASIS SAML subject identifiers
- Cookbook is too US specific
- The cookbook has guides for IDP operators, cloud services deployers, developers,
- These contain an intro paragraph and links to specific sections of the cookbook.
- These did NOT get pulled into the REFEDs version, but there is an archive of it, hope to resurrect it
- There is some overlap between Cloud Cookbook and Kantara SAML2Int v2 document.
- Kantara SAML2Int is more proscriptive
- Even if a service is in the cloud, there can still be interop needs
- To help encourage good working deployment, we need to include links to the appropriate reference materials
- Explain not just technical motivation, but get more buy-in for SAML deployment profile
- Potential topic for the incubator: GEANT fund a playground?
- Playground is in line with testing tools that InCommon TAC is now prioritizing
- Like how AWS reference architecture uses fill-in-the-blanks approach
- Suggestion not to use lynda.com as case study anymore since it no longer supports multilateral federation
- Question of “where do I run IDP” is not currently addressed in Cloud Services Cookbook, six years ago there was less identity in the cloud
- Question of "why do I move to the cloud? " is something REFEDs could discuss during revamping of the cookbook
- Suggestion to revisit topics IDP as a Service Working Group looked at.
- IDP as a Service talks about user database, (on premise or in cloud)
- Add info on bridging between clouds, for example, one cloud for IDP and another for Service Provider
- Comment: expected to see more on possible exposure of identity info (including location) when moving to cloud
- Much of cookbook is SAML specific. Should it be more agnostic?
- Perhaps add analysis of safety of running SAML in the cloud add best practices around this
- Suggestion to be protocol agnostic, but add specifics on SAML and perhaps others
- Issue of how you manage sign-on keys, when you don’t have physical DPM.
- Would be helpful to cover secret management
- SteveZ: need clarity on difference between protocol and services. Protocol is just the transport mechanism.
- There are issues with how people run services and looking at secure protocols for transport. Secure backbone is one example
- Deployment patterns, protocols sometimes less opaque than they should be
- Security on endpoints, LDAP protocols, what type of encryption on LDAP and on authentication. Looking at all the nuts and bolts
- Reference architecture should match the concerns here
- Deployment profile will eventually get baked into reference architecture
- Contact Keith ( kwessel@illinois.edu ) if you are interested in participating in the Cloud Services Cookbook update/refresh
Did not discuss at this CACTI call, save for next call
- Questions from CACTI members about last meeting's presentation on committees and InCommon/Internet2 structures (Kevin, et. al.)
- CACTI representative to Trust and Identity Program Advisory Group (Rob/Les/Kevin)
- Does CACTI still need a rep on PAG?
- Volunteer needed if so
- Final report of the CACTI OIDC Working Group (Rob)
- Next steps to get this completed
- Preferred method of communication between meetings- Slack, mailing list, … ?
- First major discussion topic of 2021 - please see list of topics that came out of end-of-2020 ideation compiled by Rob (Rob)
- eduroam best practices guide as drafted by the eduroam advisory committee
Next Meeting: Tuesday, February 2nd, 2021