MACE Call 7-June-2010

**MACE Call 7-June-2010**

NOTE: Please read these minutes with an eye toward material covered by NDA that should be edited out before these are posted publicly...

NOTE: The next call will be in 6 weeks - July 19th - due to a conflict with CAMP on June 21st and the US Independence Day holiday on July 5th.

**Attending**

Renee Shuey, Penn State U. (stand-in chair)

Steve Kellogg, Penn State U.

Chris Hubing, Penn State U.

Leif Johansson, SUNET/NORDUnet

Mark Poepping, CMU

Chris Hyzer, U. Penn

RL "Bob" Morgan, U. Washington

Ken Klingenstein, Internet2

Jim Jokl, U. Virginia

Scott Cantor, The Ohio State U.

Tom Barton, U. Chicago

Paul Hill, MIT

Bob Dively, Columbus State U.

Michael Gettes, MIT

Ann West, Internet2

Steven Carmody, Brown U.

Nathan Dors, U. Washington

Renee Frost, Internet2

David Wasley, independent

Will Norris, Google

Neal McBurnett, Internet2

Steve Olshansky, Internet2 (scribe)

*Carryover Action Items*

[AI] (David) will contact GSA for an update on the approval process for InCommon Silver.

[AI] (ReneeS) will revisit the list of potential new MACE members on the list.

[AI] (All) Send input to Ken about how the InCommon cert service ought to be packaged - i.e. amendment to existing InCommon contract, or other.

[AI] (Ken) will revise the mission statement based upon feedback received on the call.

[AI] (Ken) will send out info on DHS secure online transactions

[AI] (Ken) will follow up on a MACE/AMSAC call.

[AI] (Ken) will follow up with Kuali/Rice about I2MI collaboration.

[AI] (Ken) will draft a catalyst doc, covering the key items to be addressed in advising VOs how to use our infrastructure.

[AI] (Leif) will contact Ken/Steven/Tom about potential overlaps between the SDCI proposal and projects in the EU.

[AI] (Leif) will discuss the IDTrust meeting on the PKNG list, seeking feedback.

[AI] (Jens) will speak to an Eduroam rep about communicating with Educause.

[AI] (Ken) will draft and circulate a letter to Rice leadership, requesting input to roadmaps and use cases, and to ensure our projects with Kuali projects are aligned with their high-level strategic direction.

[AI] (Nate) will distribute information to the list about upcoming tactical issues facing MACE

[AI] (All) send Bamboo IAM comments to Tom ASAP for coordination.

[AI] (All) interested in participating in the international collaboration activity contact RL "Bob."

[AI] (RL "Bob") will contact a representative of Kuali Rice about coordinating a call.

[AI] (Ken and Mark) will distribute some information on trust anchors in the context of dynamic network configuration in GENI testbed, as well as for general access control.

[AI] (Ken) will circulate some meeting notes from the last TERENA/ REFEDS meetings.

**Discussion**

- TERENA/REFEDS meeting report

Ken and Leif attended. There was a dedicated federation track in the TERENA meeting. The next REFEDS meeting will be the first outside the EU, on Sunday Oct. 31st before the Fall Internet2 Member Meeting in Atlanta. There were almost 30 R&E federations represented at the meeting.

The REFEDS meeting included discussion about raising some funding to hire a part-time person to advance the agenda. There is a very well qualified candidate identified, but not finalized yet.

There is a document being circulated covering the one year plan, which in some ways is also a ten year plan. Ken will forward it to the list.

The Shib Consortium was also among the topics covered, albeit briefly.

SURFnet ran a BoF on collaboration, which helped clarify domestication and access control as the next frontiers to tackle after identity. Several prominent VOs are now expressing interest in gaining cooperation from federations...

There was also a discussion about future re-architecture of identity and access management solutions for L2 and L3 services from GEANT, e.g. PerfSonar. There is hope of convening a meeting in the near future about strategies for moving this forward, including key IAM players, and in particular looking for a way to eliminate the SASL CA from Edugain. More to come on this as it develops.

- This month's theme is "Many Things Groups". Steven has lined up Will Norris, Nathan and Tom from UWash, some PSU folks working on Google Groups, and Bob Dively, CIO of Columbus State to join us for a special topic deep dive on Google Groups, provisioning, etc.

Steven prefaced the discussion with a brief level set. Many campuses have been running a groups infrastructure for many years now, and Grouper is now a fairly mature product. Many are pushing group membership info from Grouper into production directories and legacy apps.

The question then arises whether and how this infrastructure can be adapted for use with GAE. Given the rising prevalence of collaboration, and the corresponding wide adoption of GAE, and the attendant need for managing groups and provisioning services to a wide array of constituents, enabling the management of groups in this environment is a growing need.

Nathan discussed the UW experience. A data management committee has been convened, which covers their work with GAE. Also a new privacy policy is rolling out, which included preventing unsolicited contacts with users.

They plan to roll out some features with GSites related to e-portfolios, using class memberships. They are looking at the provisioning API to enable this, along with a new feature in the dashboard -- user managed group service.

Who can manage group membership lists, and who can view them, are items of particular interest. Their goal is to have something rolled out for the upcoming fall semester.

SteveK then discussed the PSU perspective. They are looking at leveraging the various GAE apps in various ways, and holding extensive discussions with Google. They hope to utilize GADS (Google Apps Directory Sync) but are not certain yet if this will work as they want it to. It may be the case that the existing Google code doesn't have the necessary features, and that custom programming will be required by a Google business partner to enable the functionality they need, which if truly the case could be problematic. Do other campuses really want to reinvent these same wheels?

The question arose of managing who can view class list memberships, especially in relation to regulatory constraints like FERPA. Class members can see group membership for that particular class, but cannot see all the class groups that another person is a member of.

PSU has bumped up against some artificial API rate limiting issues, which may in fact be per admin account and not per domain. They are exploring this further.

Q: What would be the operational rate (ops/second) required to make this useful for PSU?

A: That info is not readily at hand just now. ~3 seconds/action is too long though... It takes ~36 hours to sync all course groups currently

Bob Dively was asked about his experiences with GAE at Columbus State. They are a SunGard/Banner shop, with Luminis as their portal. They custom-wrote all of their provisioning APIs.

They are working with Google on mobile apps for Android, to connect their SIS to phones. As a result, they are able to create groups based on CRN and section numbers, which are used to provision classes with the students and faculty associated with those classes. Students cannot see the memberships of other classes.

All of their work takes place outside the SIS. Columbus State is a Google Trusted Partner, FYI. The question arose as to whether this status got them special versions of the APIs, but they custom-wrote all of their own custom client code to talk to the standard Google APIs, and were not privy to any other information (e.g. covered by NDA)...

Q: What sorts of policy issues have arisen, e.g. gaps between Google offerings and what campus stakeholders are asking for?

A: The UIs on GDocs and Sites seem overly complex in how they present group choices for sharing.

There is no "picker" functionality, so the user needs to know the name(s) of the groups, unless they can derive those from their respective contact lists somehow.

Is anyone looking at auto-provisioning some groups into GAE, but still allowing local creation/management of groups by users? There appears to be interest in this, although namespace collision issues could be a problem unless local groups have a pre- or suffix.

Will noted that he works primarily on social apps, not GAE, although he clearly understands the higher-ed space. He will be following up with various folks at Google about questions and issues that arose on this call and will report back.

There will be followups on many of the topic discussed today at the upcoming Advance CAMP...