InCommon Steering Committee Minutes - December 4, 2017

Attending: Michael Gettes, Ted Hanss, Dennis Cromwell, Klara Jelinkova, Sean Reynolds, Pankaj Shah, Marty RIngle

With: Brett Bieber, Mark Scheible, Von Welch, Ann West

Action Items

(AI) Ann will contact John Morabito, Internet2’s legal counsel, to discuss the issue of whether TAC members need to sign a conflict of interest statement.

(AI) Ann will forward the revised list of Steering nominees to Kevin for action.

(AI) Brett will discuss the issue of the number of IdPs running old versions of Shibboleth with the ACC/CTAB and determine a likely timeline for development of the community consensus process.

(AI) Ann will discuss Steering’s concerns about the number of IdPs that have not upgraded to Shibboleth IdPv3 and suggestions for Kevin (regarding the letter he will be sending).

Approval of Minutes

Minutes of the November 6, 2017, meeting were approved via the wiki.

AAC Name Change and Charter Change

Brett Bieber led a conversation concerning the proposed changes to the Assurance Advisory Committee,including changing the name to the Community Trust and Assurance Board (CTAB) and adopting a new charter for the CTAB.

The regular assurance community call and webinar is this Wednesday, Dec. 6, with the purpose of gathering any final community input on the proposed CTAB charter as well as to serve as a recruiting tool for new members to the CTAB. The charter includes a membership mix based on various constituencies, and also specifies the role CTAB will play in the Baseline Expectations implementation and maintenance.

Brett asked for approval to the charter pending discussion on the webinar, and assuming no major changes emerge. Steering approved the charter, assuming no major changes are received on Wednesday.

TAC nominations

Mark Scheible presented the list of five nominees for approval as new TAC members. The process TAC used included a call for nominations from the community, which resulted in 11 nominees. After the nominating window closed, TAC discussed the candidates and the mix of representation (IdP vs. SP, large vs. small institutions, other types of experience).

The new members will serve three-year terms. The nominees are:

Heather Flanagan - associated with many projects, including COmanage and the RA-21 library publisher project.

Judith Bush - OCLC - an important provider of services to the library community, including many InCommon participants.

Tom Demeranville - ORCID - based in the UK and involved with AARC and SURFconnext, as well as other European IdPs.

Eric Kool-Brown - University of Washington - a longtime software engineer on the UW IAM team with extensive experience with ADFS and well-connected with Microsoft.

Matt Brookover - Colorado School of Mines - An IAM systems engineer and involved with the school’s TIER Campus Success Program team.

There was discussion about whether TAC members have, or should, sign a conflict of interest disclosure that aligns with Internet2’s conflict of interest policy. The question arose specifically related to having TAC members that are also Internet2 contractors. The contractors are part of the identity ecosystem and it can be valuable to have them associated with TAC.

Ann clarified that TAC serves as an advisory body and mainly engages in requirements gathering, with working groups processes that are open. Any policy-related decisions have to be approved by the Steering Committee.

(AI) Ann will contact John Morabito, Internet2’s legal counsel, to discuss the issue and ask for a recommendation.

Steering Nominations for 2018

There are four Steering positions open for terms beginning January 1, 2018. Three current Steering members are eligible to serve a second three-year term and all three have expressed interest in doing so. Dennis Cromwell, who is resigning. His term ends December 31, 2019. The list of nominees is here: https://spaces.at.internet2.edu/display/INCS/2018+Steering+Nominations

The nominating process involves Steering recommending a slate of candidates to Kevin Morooney (in his role with Internet2, as the sole member of the InCommon LLC).

There was a general discussion about the desired mix of experiences represented by Steering members. In general, there is a desire to have someone representing research and to ensure that a regional continues to be represented. There is also a desire to ensure some sort of overlap with TIER. (Note that Pankaj and Von both recused themselves from this discussion).

(AI) Ann will forward the revised list of nominees to Kevin for action.

Participant Concern

There was discussion about issues raised in an email from a CIO from a participating campus. There is concern about security implications by having more than 100 identity providers running on old and unsupported versions of the Shibboleth Identity Provider (note that IdPv2 went end-of-life in July 2016 and no longer receives security updates or patches). The CIO proposes that InCommon create incentive to upgrade, such as charging a significant fee increase to those running the old software.

Steering discussed the pricing concept, along with the timeline for adoption of Baseline Expectations, which specifies running up-to-date software. The Baseline Expectation timeline, though, is dependent on adopting a community consensus process. (AI) Brett will discuss this issue with the ACC/CTAB and determine a likely timeline for development of the community consensus process.

Kevin plans to send a letter to the CIOs at all IdPs that are running unsupported versions of Shibboleth. Steering recommended that his message include mention that not upgrading will have impacts down the road, such as additional fees or, ultimately, removal of entities from the Federation. (Note: Kevin plans to send this email in early January). (AI) Ann will discuss Steering’s concerns and suggestions with Kevin.

GDPR

Ann noted that the upcoming Trust and Identity newsletter (to be distributed Thursday) includes a blog post concerning GDPR and its potential impact in the U.S., specific to federation.