Minutes

Attending: Joanne Boomer, Matthew Brookover, Judith Bush, Matthew Economou, Heather Flanagan, Eric Goodman, Matt Porter, Steven Premeau, Mark Rank, Keith Wessel

With (Also Starring): David Bantz, IJ Kim, Les LaCroix, Johnny Lasker, Nicole Roy, David Walker, Albert Wu

Regrets: (none)

Status Updates - Q&A

• InCommon Opserations
  • The Federation Manager will be upgraded Saturday night; there will be a short outage.
• International, SeamlessAccess, and Browser Interaction updates
• Fed 2.0; FedTest

• CACTI meeting minutes - January 4, 2022

• CTAB
  • Focus has on been BE2 followup.
  • The SRTFI exercise group had its first meeting this week. There will probably an exercise in a couple of weeks.

2021 TAC Accomplishments

• Keith drafted an accomplishments report (https://docs.google.com/document/d/1sXFwBBpOzAhOxivug4-yyn8BaP7M1GWVpTIcPiQ69oo/edit) by reviewing the 2021 Work Plan and summarizing what happened during the year
• Volunteers are needed to help finish the draft. There will be explicit outreach to the point people listed for each item (whether they volunteer or not).

Liaisons to Committees

• Eric willing to continue as  the CTAB liaison.
• Matthew Economou would like to bow out as the CACTI liaison.

2022 Work Plan Brainstorming Continued

• https://docs.google.com/document/d/198NXwKaVIBlsldY_3BH8iboMJ8eSK2hbyftWKXIPcQA/edit
• We’ll split standing items, like HECVAT and Browser Changes,  from work items.
• Is there anything that should be removed?
  • No, assuming we separate the standing items

• Heather: Should we add a work item about the future of federations?

  • Nicole: CACTI would also be interested in this. We should we create joint working group.

    • Heather arranged with Rob Carter to work on a draft charter.

  • Albert: Federation future impacts are not only technology; there’s also the participation/business model.

    • This is an opportunity to expand our collaboration to other stakeholders.

    • It may be best to keep this particular working group scoped to technology, however.
  • Keith: There’s also NIST SP 800-63-4 

    • This may be more for CTAB

    • The REFEDS Assurance group is looking at these issues

    • Adoption is the hard issue

      • Assurance issues are largely non-technical, more about process.

      • Common practices (e.g., I-9) do not always match assurance requirements exactly (e.g., the requirement for government-issued photo ID).

        • These are often at the level of a detail, but can hamper deployment nevertheless.

        • There could be value in surfacing such issues to NIST and others setting requirements. They may be willing to make adjustments in future revisions.

      • Judith: Libraries typically have different classes of users that go through different identification processes. Do campus IAM systems support this?

      • For requirements from, for example, NIH, there are a small portion of users at a campus like Berkeley who need the extra assurance.

  • The EU is pushing for digital wallets.

• We’ll continue the work plan discussion next time.

Review InCommon Discovery Futures Recommendations (Mark)

• Everyone, please review InCommon Discovery Futures: TAC Recommendations for Steering for discussion next time. In particular, how detailed should the adoption issue descriptions be?

Next Call January 27, 2022

EMail Updates

International, SeamlessAccess, and Browser Interaction updates

International Update
REFEDS

• Hannah Short has stepped down from the REFEDS Steering Committee, with Dr. Thomas Bärecke (Switch) joining to start his two-year term.
• The Code of Conduct Consultation closed on December 10, 2021, with 27 official comments recorded. Resolution of those comments will happen this month.
• The Baseline Working Group is considering its work done (for now). That working group is closing, though there is always room to re-open it pending interest and work items coming from the community.
• The draft workplan for 2022 is available here; the REFEDS SC will be voting on its acceptance at their next meeting in February.
• The R&S Working Group has started work to harmonize the Anonymous Authorization and Pseudonymous Authorization entity categories with the Personalized Entity Category. Included in this effort is a first draft of Federated Authorization Best Practices. The working group is looking for feedback on that article via the rands@lists.refeds.org mailing list.

SeamlessAccess
The product roadmap is always available to the public: https://seamlessaccess.org/services/

The current development priorities are support for internationalization (multi-language call-to-action buttons) and IdP hinting and filtering.

Browser Interactions
The W3C FedID CG continues to meet every week, and has formally adopted Google's Federated Credential Management API as a work item. This means that the community group focuses on its development and prepares it for handoff to a W3C working group for final standardization. The community group is open to other work items if and when other individuals or organizations have potential solutions to solve for the problem of keeping federated authentication (both OIDC- and SAML-based) working in a no-hidden-tracking world. The community group is entirely focused right now on what happens when third-party cookies go away, and since the implications for that are all OAuth/OIDC related, that's where the development work is happening. The group will not spend much time on link decoration or redirects until there is a more stable solution for third-party cookies.

For services that use cross-origin access in browser local storage but which do not use cookies (e.g., SeamlessAccess), Google is working on a Shared Storage project; this is not the same as Apple's Storage Access API. It is not (yet) clear whether Shared Storage will solve for the SeamlessAccess use case.

Fed 2.0; FedTest

Fed 2.0 keeps pushing along and is inching close to a report that hopefully makes clear that the current landscape of organizational participans are doing a fine job but the need is for “an Academic Interfederation that can execute global strategy, react to external opportunities and threats, and coordinate resources to streamline processes and reduce cost.”

FedTest will begin getting my attention soon by a message to all the folks I can find who engaged with the deployment profile.

CACTI meeting minutes - January 4, 2022

[Editor's Note: These CACTI meeting notes are draft, not yet approved.]

The majority of the meeting was spent reviewing the log4j vulnerabilities and their affect on the federated IDM software supply chain:

• (Mis)appropriately-formatted log records can invoke remote execution by log4j, a security issue for any application that includes log4j. It's a supply chain issue, but it caught many people unawares, making it also an incident response issue.
  • From Steve in chat: https://imgs.xkcd.com/comics/dependency.png
  • People were scrambling. Published fixes were found to need further fixing.
• This happens all the time, also with vendor products. The community needs to think about how to utilize communication channels to share information, often only for awareness, but (when appropriate and authoritative) also details about the vulnerability and what to do.
  1. Whose role is this? REN-ISAC? CACTI? Internet2? eduGAIN?
  2. This is a good topic for CACTI this year.
• Understanding our dependencies is very important. Minimizing them provides more flexibility but increases the difficulty of creating software.
• Steve: This problem is an ocean, and we can’t boil more than a bucket.
• Rob: This can be added to the questions the new work group will be asking the community.
• Kevin Hickey in chat: A zero day such as this only allows for reaction. I guess the question is, what can be planned in advance to assist the reaction.

CACTI leadership is developing the 2022 work plan, to be discussed at the next meeting.