TAC Meeting 2015-10-29

Thursday, October 29, 2015
1:00pm ET | 12:00pm CT | 11:00am MT | 10:00am PT


Attending: Steve Carmody, Keith Hazelton, Ian Young, Scott Cantor, Tom Barton, Jim Basney, David Walker

With: Dean Woodbeck, Nate Klingenstein, Nick Roy, Tom Scavo, IJ Kim

Minutes from Oct 15 were accepted

Security Contacts in Metadata

Jim Basney recapped his Security Contacts presentation at the WISE workshop (regarding security contacts in metadata). The workshop included NREN and cyberinfrastructure people from Europe. The general response was that they need the security contact information and believe is it worthwhile to have this in metadata. There was also discussion about the need for  periodic revalidation, given that about 10% of the information goes stale in any given year. One option would be to require revalidation once a year or have the federation operator send an email to each address to make sure it is still active.

There was also support for allowing people to register a URL for providing additional contact and security information and moving forward on this with REFEDS.

FYI, there are 99 out of 577 organizations that have security contacts in InCommon metadata (about 17%).

Update on the OTTO Working Group

Keith Hazelton presented an update on the OTTO working group in Kantara. The basic idea is to extend the notion of federation and metadata to the OAuth world (e.g. UMA, OIDC). They would like to learn from the lessons of the SAML community, particularly regarding federation metadata. The group has some concerns about the use of the metadat query protocol, but Scott mentioned that the protocol was designed to be extended to query mechanisms. Keith will discuss this with Ian. There are still a number of tasks ahead related to scaling, the use of JSON, and other technical issues and decisions.

TIER Working Groups

Shibboleth Info


There is consideration being given to Introduce a new production aggregate, idps-registered-by-incommon.xml. The simpleSAMP.php SP (which is used by eduroam-US) cannot filter metadata like can. The new aggregate would allow an SP to to restrict activities to just InCommon IdPs. There is a question about whether the federation operator should do this, or give SPs a tool to do this themselves. We also want to be sure to accommodate other organizations that add entity tags (like UC Trust).

IdP of Last Resort

There was discussion about a method of migration, should individuals start with one IdPoLR and want/need to change to another. This and other challenges, plus a plan for dealing with those, is here: https://spaces.at.internet2.edu/pages/viewpage.action?pageId=92472003

Next Meeting - November 12, 2015 - 2 pm ET