MACE Conference Call, April 21, 2003

*MACE Conference Call*
April 21, 2003

*Attendees*

Bob Morgan (chair) - Washington
Renee Frost - Michigan/Internet2
Steve Olshansky - Internet2
Neal McBurnett - Internet2
Steven Carmody - Brown
Jim Jokl - Virginia
Ken Klingenstein - Colorado/Internet2
Scott Cantor - OSU
Michael Gettes - Duke
Mark Poepping - Carnegie Mellon
Ton Verschuren - SURFnet
David Wasley - UCOP
Ben Chinowsky (scribe) - Internet2

*Discussion*

The group reviewed the middleware discussions at the recent Spring Internet2 Member Meeting. Foci included InCommon, next steps for the CREN CA, and authorization; feedback from attendees was strongly positive. Ken noted that material from the Wednesday evening authZ session will form the basis for presentations at the July 8-11 Advanced CAMP (http://www.educause.edu/conference/nmi/camp033/), which will focus on authZ. Presentations from the Member Meeting are at http://events.internet2.edu/p_by_events.php?evt_id=134.

Bob reported back from the TERENA AuthN/Z meeting. Representatives attended from many countries; rough consensus was achieved on an architecture that will allow all to use their authentication information from Athens (the overwhelmingly dominant authentication service for R&E in Europe) with local, "devolved", Shibboleth-like authentication schemes. Athens recently committed to providing another three years of service. Bob noted that technology is not separable from Athens in the way that Shibboleth has been designed to be separate from its implementations. [AI] Bob will send out more details on the devolved authentication schemes discussed at the recent TERENA meeting. One product of this meeting was a comprehensive whiteboard diagram showing how all the pieces might fit together; [AI] Ton will send MACE his ASCII-art version of the TERENA authN/Z diagram.

Much of the call was devoted to a discussion of the development of InCommon, the future of the CREN CA, and how these relate to federations more generally. Ken noted that an early proliferation of federations seems increasingly likely, raising fears of chaos. The leading approach to keeping the chaos under control is to build a global metadata registry for all Shibboleth federations; a separation would be maintained between the metadata and the trust architecture, of which the ex-CREN CA would be a significant part. Ken noted that the Liberty Alliance appears to be moving toward similar views on managing federations; [AI] Ken will pursue federation-management discussions with Liberty. Steven stressed that as different federations will likely have very different policy requirements, whatever structures are created will need to remain as flexible as possible. Scott emphasized the urgency of deciding on criteria for federation membership: the sooner we do this, the sooner prospective federation members will be able to move toward meeting these criteria. Ton noted that Swiss universities are being encouraged to deploy Shibboleth, so there will be at least one Shibboleth-based federation in Europe. Bob stressed the importance of having as much consistency as possible between the membership of the Internet2-operated CA and the Internet2-operated Shibboleth federation. Ken noted his particular concern with the scenario in which a user belongs to two federations, one of which (the "rubber squeeze toy federation") offers rewards for exposing attributes.

It was suggested that producing a "What is a Federation?" document setting out some basic criteria, might be a good next step; [AI] Ken will send MACE his slides from the 2nd Annual PKI Research Workshop, which include a definition of a federation. Scott noted that the idea of the "What is a Federation?" document would be to specify, not so much what a federation is, but more what it can be -- to set parameters, rather than rigid rules -- and there was general agreement. [AI] Ken will send MACE some papers from Liberty that bear on the question of what a federation could be. Ken wants to see the ex-CREN CA operational by July 1; a priority over the next few weeks will be to develop a policy that the CA would be comfortable recommending to InCommon federations, together with a business model.

Finally, Michael noted the announcement of version 6.0 of Adobe Acrobat, which includes support for PKI. See http://www.adobe.com/security/ for more information.

*Action Items*

[AI] Bob will send out more details on the devolved authentication schemes discussed at the recent TERENA meeting.
[AI] Ton will send MACE his ASCII-art version of the TERENA authN/Z diagram.
[AI] Ken will pursue federation-management discussions with Liberty.
[AI] Ken will send MACE his slides from the 2nd Annual PKI Research Workshop, which include a definition of a federation.
[AI] Ken will send MACE some papers from Liberty that bear on the question of what a federation could be.