Notes and Action Items, AAC Call of 15-Feb-2017
Attending: Brett Bieber (chair), Tom Barton, Ann West, Emily Eisbruch
Regrets: Ted Hanss, Chris Whalen
Action Items
[AI] (Ann) will draft proposed changes to the FOPP and PA for baseline expectations and put those in the baseline expectations folder
[AI] (Tom and Brett) take Baseline Expectations implementation plan to next level over coming weeks.
Report on 15-Feb is that progress is being made on this. See below.
[AI] (Tom) continue tracking the REFEDs MFA work and how it relates to the MFA Interop Profile work.
REFEDS MFA Profile doc should be ready for Consultation soon. Identifier to be assigned is “https://refeds.org/profile/mfa”.
Report on 15-Feb is: there was a bit of editing to the REFEDs doc and soon there will be a kickoff of the REFEDs consultation.
Discussion
Draft Implementation Plan being developed by Tom Barton.
On the Baseline expectations implementation plan, there are questions of how enforcement would work that still need to be addressed. Tom and Brett will be working on this.
Review Draft Processes to Implement and Maintain Baseline Expectations
Potential Impact of Baseline Expectation on InCommon Legal Agreements
It was noted that changing the InCommon Participant Agreement to accommodate baseline expectations is a significant task. Relevant references in the current InCommon legal documents are below:
| InCommon Participation Agreement language re: Participant Operational Practices (“POP”) https://www.incommon.org/docs/policies/participationagreement.pdf | |
|---|---|
Section 6 Participant Responsibilities, item H | "Agrees to make available for distribution to InCommon and any InCommon Participant reliable and trustworthy information about Participant's identity management systems and/or resource management systems (e.g., IdPs and SPs) by documenting certain specific aspects of its operational and privacy practices in its own Participant Operational Practices (“POP”), a template of which is available on the InCommon website." |
| Section 10. Dispute Resolution Procedures | Participation Agreement Section 10. Dispute Resolution Procedures For Participants In the event of any dispute or disagreement between two or more InCommon Participants (“Disputing Participants”) arising out of or pertaining to their participation in the Federation, the Parties agree to make every reasonable attempt to resolve the dispute between or among themselves. In the case that such a dispute cannot be so resolved, the Disputing Participants may choose to submit the dispute to the InCommon Steering Committee. If the dispute is between an InCommon Participant and InCommon and arises out of or pertains to the participation in the Federation, or the dispute is between or among InCommon Participants and affects the Federation, the InCommon Participant(s) shall submit the dispute to the InCommon Steering Committee following procedures defined in the FOPP. The InCommon Steering Committee shall resolve the dispute in the best interest of the Federation. Participant agrees that all decisions by the InCommon Steering Committee concerning disputes between InCommon and Participant shall be final, provided that Participant may terminate its participation in the Federation (per Section 5.b) if it disagrees with a decision of the Steering Committee and shall not be bound by such decision. |
InCommon Federation Operating Policies and Practices (FOPP) | |
|---|---|
7.3.1 Participant Operating Practices | A fundamental expectation of Federation Participants is that they provide authoritative and accurate attribute assertions to other Participants and that participants receiving an attribute assertion must protect it and respect any privacy constraints placed on it by the Federation or the source of that information. To support this goal, each Participant must describe its relevant operations in a Participant Operating Practices (POP) statement and share this POP with Federation Participants. The template POP is available on the InCommon website. In some cases, multiple systems can be described in one POP. A InCommon FOPP July 2016 Page 7 current version of the POP must always be available to the Federation and Participant Administrators. InCommon does not review such Participant Operating Practices against any criteria of performance. The POP is a self-asserted declaration by each Participant of its current practices. More information about POP requirements is available on the InCommon website. |
8 Dispute Resolution procedure
| 8 Dispute Resolution procedure Should disputes regarding Federation services or the use of those services arise |
If InCommon legal documents are changed for Baseline expectations, this will be a change for every InCommon participant's Participation Agreement (PA), not just for new InCommon participants.
To avoid changing the PA, could there be a series of expectations that fall under something called the POP. Today the POP is required in the legal agreement, so can we inject the baseline expectations into what the participant agreement says about the POP? How could this mapping of the baseline expectations into the legal agreement work? Under this approach the expectations under the POP could evolve over time.
Question, do we need every org to check the box, to agree in some fashion to the baseline expectations? Or can we make adherence to baseline expectations an expectation even without every org checking a box? It was noted there needs to be some line of accountability.
We hope to accomplish two things:
- Want to assume blanket compliance. Don’t want to have tags to indicate that some orgs comply and some don’t.
- Want to have clear recourse if there is a dispute raised. Need accountability.
Can InCommon Steering present the Baseline Expectations as a requirement by implication of what is in the FOPP?
Participation agreement (PA) Section H, that references the POP, lacks teeth now. But there are other sections, like C that relate to items like what’s in Baseline Expectations (accurate metadata).
We want ability to gradually raise the bar over time, if needed, without having to redo InCommon legal contracts each time.
Decision: After analysis, the group decided it seems doubtful that just modifying the POP for baseline expectations will be sufficient. It will be necessary to modify the PA and the FOPP. Suggested plan is to revise section 6 of the PA, make it more generic and make it point to the Baseline Expectations which would be on a website with stable URL. Use language around best interest of the federation. Might need to include something else in the FOPP about the program and how baseline expectations may evolve. The document should explain the process, stating the Federation is going to do things to implement baseline expectations so it is the expression of the community’s consensus.
Section 7 of the PA talks about federation services and collecting metadata.
Possibly this will not need to be changed Also, likely there will not be need to change PA section 10.
It would be helpful to take time now to review what changes will need to be made to the PA before going much further on the baseline expectations. Then consult with legal before moving ahead.
[AI] (Ann) will draft proposed changes to the FOPP and PA for baseline expectations and put those in the baseline expectations folder
Outreach to community around SP 800-63 Comment Period
- Consultation has been opened
InCommon Assurance Monthly Call for March 2017
- Topic for the Wed. March 1 call -- Ken will talk about SP 800-63 Digital Identity Guidelines
- NIST 800-63-3 Digital Identity Guidelines: We Want to Hear from You on March 1
AAC Notes
- FYI: AAC notes are now publicly available at https://spaces.at.internet2.edu/display/InCCollaborate/InCommon+Assurance+Advisory+Committee+Minutes
Global Summit Face-to-Face April 23-26
- AAC F2F Tues. April 25, 2:30pm - 4pm
Next AAC call: Wed. March 15 at 4pm ET