Item #1: Push to opt out? Recommended that we allow for opt out only because opt-in would be complicated. Suggested that the FOPP and AP be modified to reflect this.
Susan suggested that a timeline be implemented to allow for opt-out and asked that the opt-out and opt-in be clearly defined. Suggested these terms be added to the glossary.
Comment: The goal of the Federation has always been to connect partners globally. (I’m not sure who made this statement)
Slogan: Authenticate locally and act globally
Question posed: Why would people want to opt-out? It would be based on security and trust boundaries.
Shiboleth and SAML – need to add to glossary so people understand what they are
Varied perceptions on who makes good global partners – export control issues, countries not on the “nice” list, etc. Can institutions on an individual basis choose not to accept global partners? For this it was discussed that we would need an enhanced set of documents and training materials. How would requests from hostile nations be handled?
Item #2: Standard InCommon metadata file would contain elements. Would a disclaimer be needed - operational choice – critical question as far updating trust policies. Do we need a crisp clear statement about management and control of..? Data would be released by associated tag – registration tag Ann recommended this be assigned to TAC Policy would need to be changed for definition of entity and how to determine its origin. – FOPP will need to be updated for this.
Item #3: How will metadata be published? TAC need to reference or sub bullet PII, policy changes, Would be dependent on local decision, outside of local would be a contractual issue. InCommon needs to be in better alignment with Standards and practices. InCommon to refrain or stay away from the business of interpreting legal obligations. Ann – need confirmation of legal compliance for use and sharing of data. Need a mechanism to provide attestation of compliance. Also need accountability and policy for privacy and protection of data. This would be considered a “guiding principle” where we (InCommon) does not enforce or promulgate. It needs to be the customer’s responsibility to verify each other. Need to have declaration of compliance form entity.
Item#4: Research and Scholarship – out of scope for group. It is tagged as an important and enabling factor. Do we need to harmonize definitions?
Items # 5&6: Notebene
Item #6: section 2 needs editing and clarification
Item #7: Relationships – commercial interests that might create influence
Item #8: IDP = NSA requests – how will they be handled and processed? Statement: not involved with transactions. Every entity has an Org name. Need to ensure who signs the agreement has ownership? Do other federations do the same? Policy assumptions – ability for confidentiality, integrity and availability of metadata elements?
Discussion on each item too detailed. May have to limit it to a timeframe of five minutes per punch item. Suggestion was made to create a spreadsheet and have members complete, then compile responses.
Discussion on committee’s true purpose and focus. Are we to develop policy or forward suggestions to legal for changes?
Conference call ended on item #8. Next conference call to pick up on item #9.