**MACE Call 24-May-2010**

 

**Attending**

Renee Shuey, Penn State U. (stand-in chair)

RL "Bob" Morgan, U. Washington

Ken Klingenstein, Internet2

Jim Jokl, U. Virginia

Tom Barton, U. Chicago

Paul Hill, MIT

Michael Gettes, MIT

Ann West, Internet2

Steven Carmody, Brown U.

Scotty Logan, Stanford U.

Nate Klingenstein, Internet2

Renee Frost, Internet2

David Wasley, independent

Neal McBurnett, Internet2

Steve Olshansky, Internet2 (scribe)

 

[AI] (David) will contact GSA for an update on the approval process for InCommon Silver.

[AI] (ReneeS) will revisit the list of potential new MACE members on the list.

 

*Carryover Action Items*

[AI] (All) Send input to Ken about how the InCommon cert service ought to be packaged - i.e. amendment to existing InCommon contract, or other.

[AI] (Ken) will revise the mission statement based upon feedback received on the call.

[AI] (Ken) will send out info on DHS secure online transactions

[AI] (Ken) will follow up on a MACE/AMSAC call.

[AI] (Ken) will follow up with Kuali/Rice about I2MI collaboration.

[AI] (Ken) will draft a catalyst doc, covering the key items to be addressed in advising VOs how to use our infrastructure.

[AI] (Leif) will contact Ken/Steven/Tom about potential overlaps between the SDCI proposal and projects in the EU.

[AI] (Leif) will discuss the IDTrust meeting on the PKNG list, seeking feedback.

[AI] (Jens) will speak to an Eduroam rep about communicating with Educause.

[AI] (Ken) will draft and circulate a letter to Rice leadership, requesting input to roadmaps and use cases, and to ensure our projects with Kuali projects are aligned with their high-level strategic direction.

[AI] (Nate) will distribute information to the list about upcoming tactical issues facing MACE

[AI] (All) send Bamboo IAM comments to Tom ASAP for coordination.

[AI] (All) interested in participating in the international collaboration activity contact RL "Bob."

[AI] (RL "Bob") will contact a representative of Kuali Rice about coordinating a call.

[AI] (Ken and Mark) will distribute some information on trust anchors in the context of dynamic network configuration in GENI testbed, as well as for general access control.

[AI] (Ken) will circulate some meeting notes from the last TERENA/ REFEDS meetings.

 

**Discussion**

 

1. Meetings

recent -

 

- IIW

Scotty attended. FaceBook and Twitter are live with OAuth2, and others are looking into it. Approvals are done at a central AuthZ service in OAuth2... There are multiple profiles in OAuth2, v. the one and only in OAuth1.

 

There is a proposal for OpenID connect that is gaining traction. See http://openidconnect.com/

 

Q: What overlap is there, if any, between OAuth2 and MoonShot?

A: Not clear yet...

 

Q: Would OAuth do anything for PerfSonar and DCN?

A: probably not much there...

 

Q: How does this relate to trust and federation? How do the 2 endpoints authenticate to each other?

A: TLS, and signatures are optional in OAuth2

 

Google and Yahoo were reportedly talking about their solutions as "federated" instead of open...

 

- CSG

Tom promoted InCommon Silver for the next meeting in January 2011, and it will be the focus of a small workshop then. Provisioning user groups and attributes also arose, whether locally or in the cloud.

 

- NSF FIRE

This was a workshop at Princeton run by CISE. It was about federating computing resources and more. Their model seems to be largely bilateral so far, not reliant on metadata.

 

Since our community understands attributes, there is apparently interest in proposals to move this work along.

 

- ROI on LoA

This was a meeting at NIH convened by the OpenId Foundation, motivated by the desire to have OpenId providers move up the LoA stack.

 

The question arose as to whether InCommon could or would scale to include all of the various entities that might be relevant to R&E...

upcoming -

 

- Terena (includes REFEDS and collab meetings)

There will be a collaboration BoF led by SURFnet. The interfederation piece of Edugain may be a topic of some action... The potential roles of EMC2 and REFEDS in the forthcoming InCommon signing certs is an open question.

 

- IETF

There will be a number of EU usual suspects in attendance.

 

- CAMP and Advanced CAMP

CAMP will have ~150 attendees, and ACAMP will have 80. Planning is in the advanced stages, and is going well. The high attendance is apparent evidence of broad interest in open IAM systems in general, and I2MI in particular.

2. Reviewing new members issue

There was a discussion about MACE's role in coordinating IAM across the open source community, and how MACE membership could and should reflect that.

 

[AI] (ReneeS) will revisit the list of potential new MACE members on the list.

 

3. Discussion of some fed issues (international norming of Silver, safe SP's, interfed) in prep for Terena

 

What are the expectations about international profiles aligned with InCommon Bronze and Silver, as to global consistency?

 

If there are examples of federations agreeing on standard practice across their boundaries, that would be helpful...

 

Q: is there anything in Silver that would not work internationally?

A: perhaps some things related to address and phone number, or government issued ID documents, which vary in other cultures. Otherwise probably not...

 

How do responsibility and reliability flow across international borders? What about cryptographic systems?

 

It was noted that NIST 800-63 has parts that are based on work from the UK and Canada.

 

There was a discussion of MDX v. MDS, and it was noted that they have somewhat different design intentions...

4. Theme for June 7 call

Four possibilities were offered:

- provisioning

- GoogleGroups (related to provisioning topic)

- OAuth

- revisiting attributes outside the SAML context, especially in the signing context, and especially internationally

 

Preference on the call was for GoogleGroups and provisioning, since many schools are looking at this for the Fall semester. The suggestion was made to invite someone from Google to participate, TBD. This discussion will continue on the mailing list.

 

Q: are there open source systems that do provisioning?

A: yes, but not that work very well...

 

Ldappc-NG is Nexus-NG (from U. Memphis), and plugs in cleanly to Shibboleth.

 

The suggestion was made to invite ACAMP attendees to this forthcoming call.