CACTI notes of Wednesday, March 29, 2023

Attending: Les LaCroix, Marina Krenz, Derek Owens, Kevin Hickey, Richard Frovarp, Rob Gorrell, Rob Carter, Erik Scott, Chris Phillips, Gareth Wood, Stoney Gan

With: Steve Zoppi, Nicole Roy, David Walker, Ann West

Regrets: Margaret Cullen (maybe), John Bradley, Steve Premeau, Barry Johnson

Reminders

  1. Transparency is a critical part of CACTI's duty to the community. Please promptly approve, edit (or indicate reason for disapproval) of minutes after they are posted.

Pre-Read Materials: 

  1. See working doc on verifiable credentials and wallets for pre-reads and initial asynchronous discussion and fact-finding ahead of the call

Action Item Review:

 Agenda

  1. Administrivia
    1. Please say your name when you start to speak, until we learn each others' voices
    2. Please ask colleagues to define terms, expand acronyms, etc, until we learn each others' jargon
    3. It's ok to challenge your colleagues in pursuit of quality of discourse. Hopefully in a nice way
    4. Please disclose any conflicts of interest you may have in any of the agenda topics, and potentially excuse yourself from the relevant conversations
    5. Please use the CACTI scribing doc
    6. Internet2 Intellectual Property Agreement reminder
    7. CACTI Charter pointer
    8. Agreements:
    9. Volunteer(s) to scribe (new standing item)
    10. Agenda bash
  2. Announcements
    1. Working Group Updates (email only) - Please share via email on the CACTI list ahead of time
  3. Main Business
    1. FedCM report-out and next steps (Nicole/Chris P)
      1. FedCM (protocol)
        1. The thing we’re trying to help with to enable “lowering shields” the browser may have imposed, in the context of user-trusted single sign-on
      2. FedIDCG (community group in the W3C)
        1. Curation of the work
        2. Trying to get the W3C group to understand why we’re suggesting a change to FedCM to support massive numbers of IdPs (as we have in R&E feds)
      3. FedCM is embedded in Chrome already (108+)
      4. W3C membership is free if you wish to contribute
      5. Proof that our community can have a positive impact in industry if we are open to participating
    2. Passwordless authentication blog post - gaps and next steps (Kevin H)
      1. Still in-progress - but time is a bit freed up, will work on this asap
      2. Helpful to describe where password managers live in the ecosystem of “authentication stuff” - may be useful to distinguish password managers from other stuff, “here’s where they’re useful”
    3. Verifiable credentials and digital wallets
      1. Revisiting action items from last time:
        1. We need to map out where we want to be in the next couple months:
          1. Spinning up a sub-group: Kevin Mackie, Chris Phillips, Rob Carter
          2. Model for engagement: The 800-63-4 review group
        2. Do we need an R&E-specific wallet, or just R&E specific credentials?
          1. It’s likely more about the communities that we serve- will this be a method that they want to use?
          2. First to-do from a use-case perspective: Think about the scenarios in which our communities might interact with these things. Example: Student shows up with a digital drivers’ license at orientation/registration. What do we do with that? Example: Student shows up and wants us to issue a credential into a wallet that they already have (Google, Apple wallets, etc.)
        3. Is this a sufficiently narrow scope to be able to write a charter? Yes
          1. Yes. Would like to probably select a popular / well-suited use-case to then pursue a proof-of-concept implementation based on.
          2. Student ID is an example.  Use existing digital wallets to start but don’t exclude the possibility of an educational digital wallet in the future
          3. Do we want to worry about all functions of a wallet, or only certain? These questions will likely be answered by the use-cases gathered.
        4. Protocol translation - at the wallet level, at the proxy level, etc. 
        5. How do Shib/TAP fit into the solution space?  Do  
        6. Discussing a bit with NSF large facilities people
        7. Proof of “academic-ness” or “government-ness” to hotels or other entities for discounts
        8. Alumni accounts - “cradle to endowment” - email access for alumni to their .edu email address
        9. Revocation
        10. Policy around disclosure
      2. What do we want to do about this in the next three months?
        1. POC of use case 
          1. User control of attribute release
        2. Potential partners.  Cirrus Identity, MS - Entra
      3. Divvying up the work / working groups
        1. Use case development - open working group with the community
          1. Drafters of charter:
            1. Rob Carter
            2. Marina Krenz
            3. Kevin Mackie
            4. Chris Phillips
            5. Nicole Roy
            6. Kevin Hickey
          2. AI: Nicole will get this group together to draft a charter - would be good to note the unique things that VCs/etc bring to the table - user-centric/privacy-preserving stuff. [DONE]
          3. 90  to 120 day scope
          4. Report back to CACTI regularly
          5. Culminate as an update at TechEx in September
          6. Members from all over our larger community
          7. AI: Nicole grab CACTI a working/open meeting time slot at TechEx [DONE]
          8. Goal: Charter done before our next call; Will iterate on it in the slack channel
          9. AI: All: Plan to attend TechEx in Minneapolis in September
        2. Other working groups?
          1. Internet Identity workshop (date/time?) Opportunity to discuss this topic with a wider audience - April 18-20th, Mountain View, CA 
            1. https://internetidentityworkshop.com/ 
          2. “What is the concept we want to prove?” - trying to find a use case that involves the more explicit control that a user has over the release of their information.
          3. Privacy preserving controls and revocation.  How is use restrained once the credential has been placed into the wallet.
      4. Additional subtopics?
        1. AI from last call: Go over the output from last year - Chris and Rob C’s discussion at TechEx.Things that we may want to prototype in this space?  
        2. 20221207-ChrisPhillipsRobCarter-TandIOutlook2022.pptx - Google Drive
        3. TLS cert lifetimes getting shorter again- Browsers want to go down to 90-day cert lifetime
        4. eduGAIN governance model changing - scalability
        5. 802.1x authentication using FIDO tokens (eduroam)
        6. IETF extension to RADIUS to allow BGP type of routing. Margaret interested
        7. https://www.eduvpn.org/ (Gareth Wood) Update moving forward.

Next Meeting: Wednesday, April 26, 2023



  • No labels