Minutes
Attendees: Eric Goodman, Mark Rank, Judith Bush, Matt Porter, Matthew Economou, Joanne Boomer
Reps from other groups: David St Pierre Bantz (CTAB)
Staff / SME: Nicole Roy, Kevin Morooney, David Walker, David Shafer
Scribes: Judith Bush, Mark Rank
Updates
Canceling July 13 TAC meeting (concurrent with base camp)
No Agenda bashing
CTAB:
- Discussion on Operationalizing Baseline Expectations
- Narrative report “Operationalizing Baseline Expectations” https://docs.google.com/document/d/1pjvrkoyAF1P5HNAcwcN5Z1wMzBz6LlbRirb5wKemYak/edit?usp=sharing
- Reviewing REFEDS Assurance Profile v2
- Consultation is out
https://wiki.refeds.org/x/AQDOCw - Similar to previous version, but not 100% backwards compatible
- Consultation is out
T&I and Ops update:
- Intermediate cert is now in place to bootstrap metadata signing
- Base Camp coming up
- CACTI first meeting of the Verifiable Credentials Working Group was today
- Kevin: Heather and Nicole were also at the TNC meeting, which was very good. TNC had a more global reach in the past but now has a more European focus.
REFEDS / Browser Changes
Blog post and Notes are our regarding last REFEDS meeting
Judith with update for Browser Changes:
As browsers continue to threaten the cross-site methods used in authentication protocols to fight navigational tracking, we see that R&E community investment in testing as a way to have a strong influence in the evolution of these changes. The two issues currently unaddressed by FedCM (were we to use it as a signal to allow SAML protocol transactions) are
- IdP picking from a list – and the massive scale they need to support for our in our community, – and
- the hops that are implemented in many authentication flows involving hub federations, federated proxies, and proxies bridging non-compliant IdPs into the federation.
CTAB from Eric : see the in process documents
- Narrative report “Operationalizing Baseline Expectations” https://docs.google.com/document/d/1pjvrkoyAF1P5HNAcwcN5Z1wMzBz6LlbRirb5wKemYak/edit?usp=sharing
- BE Operations Worksheet:
https://docs.google.com/spreadsheets/d/1vpnHA3Tb2pPnehudX7y1g0aDn4f__97XECQrKRjSUao/edit?usp=sharing
REFEDS Assurance V2 is out for consultation, separately from the MFA Consultation. New profile is similar but not entirely backwards compatible because of government profiles. This will match more closely with government/regulatory profiles.
SP Middlethings/Federation Proxies
About a year ago (See https://docs.google.com/document/d/1RwWn2oXJqa3YwFF_vKuTsqoJkLQ7BJ9hYFOUStbJ1IY/edit – a document that framed the beginning of the discussion) We were addressing some of the challenges in federation participations and grew more aware of the challenges of SP Middlethings.
The TechEx community provided some push back on SP Middlethings being an issue (per the framing document).
We now have a working group report using “Federation Proxies” (using a term from NIST). See report: https://docs.google.com/document/d/1b6lGOb-OlaVSjFrmpkuR0NGhDAgNVynvXtLFqppt1Nw/edit
More prevalent usage in Europe as federation proxies. These are mediating, changing, viewing the information. This introduces the trust issues. The technological issues have been solved, it is more policy clarity. There ARE recommended actions for policies. There is less threat from the Research & education community – commercial ventures may have different values. There may also be a threat of erosion of fees if a proxy fronts organizations that might otherwise be members of the federation.
Do usecases align with “The AARC Blueprint” virtual organization model? Should that be highlight? (EduCause) Should “The AARC Blueprint” be called out? See “insight 2” – “The AARC Blueprint” offers technological solutions – See also “insight #3”.
With commercial SPs – eg: SPs that are contracted with the specific members of the federation – how do we make clear who is really the federation member, or a platform that (SAAS) is licensed by a federation member. This is a policy arena, and may be outside of TAC.
There are opportunities for bad actors in this space without policy guidance. Baseline may be where these policy issues are addressed.
Can both documents be accepted? No objections. We accept this work.
The TAC does not believe the framing document needs consultation (in particular given it’s discussion at TechEx)
Would the TAC recommend a community consultation for the final report?
Steering would be involved after a consultation.
Mark Rank and Judith think the report recommendations are advice to make other decisions that then should go out for consultation. Perhaps this should go into InCommons Futures? – Say on current trajectory -and- include in the futures process.
This should definitely go to steering now. We should share this with CTAB (in particular) and CACTI for feedback.
Next steps: Keith Wessel will circulate to CTAB and CACTI, also ask to put on August Steering agenda.
Then TAC may follow up on the recommendations.
Any TNC /REFED highlights?
Heather facilitated an Evolving federation session , recordings online
Nicole’s focus was on eduRoam. “Mobility day” slides. Some InCommon opportunities in the eduRoam space. The Verifiable Credentials conversations were high level.
Mary McKee was also at TNC and notice the change in tenor to be more European focused, less global. Also, there was a passkey discussion – Apple doing “interesting” things?
Email Updates
International Update
From Heather F.:
TNC23
- Meeting recordings are now available: https://tnc23.geant.org/recordings/
- TNC24 will be in Rennes, France, June 10-14, 2024
REFEDS
- Blog post re: the REFEDS 46 meeting is now available: https://refeds.org/a/2933. In particular, we had a great discussion regarding the REFEDS Annual Survey, what the change in response rate might mean, and how to continue the survey in the future.
- Two consultations are currently open
- Consultation: MFA Profile v1.2 (open until 22 June 2023)
- Consultation: REFEDS Assurance Framework (RAF) v2.0 (open until 26 July 2023)
Conferences
- Several conferences of interest still on the agenda for 2023: https://github.com/fedidcg/meetings/wiki/2023---List-of-Identity-and-Related-Conferences
- If you are budget planning for 2024, a list of conferences for next year is under development: https://github.com/fedidcg/meetings/wiki/2024-List-of-Identity-and-Related-Conferences