MACE-Dir WG call - July 2, 2007

MACE-Dir WG call
July 2, 2007

*Participants*
Keith Hazelton, U. Wisconsin-Madison (chair)
Rob Banz, UMBC
Paul Hill, MIT
Etan Weintraub, Johns Hopkins U.
Joy Veronneau, Cornell U.
Victoriano Giralt, U. Malaga
R.L. “Bob” Morgan, U. Washington
Brendan Bellina, USC
Tom Barton, U. Chicago
Steve Olshansky, Internet2
Jessica Bibbee, Internet2 (scribe)

New *Action Items*
[AI] {Keith} will send out a question about use of eduPersonEntitlement to EDUCAUSE-IdM, SCHAC, MACE-Directory lists.

Carry-over *Action Items*
[AI] {Scott} will revise the pilot proposal to add an entry for attribute definition space. (18-Jun-07)
[AI] {Steve} will edit the attribute definition to add an entry for eduCourseMember and share the URL with the list. (18-Jun-07)
[AI] {Keith} will send a note to the shibboleth-users and MACE-Dir mailing list once {Scott} has revised his proposal. (18-Jun-07)
[AI] {Keith} will forward an email from {Licia Florio} about coordinating NRENs and GRIDs. (18-Jun-07)
[AI] The Group will continue discussion around groupDisplayName on the 2-Jul-07 WG call, after CAMP. (18-Jun-07) [AI] {Scott} will revise the pilot proposal to add an entry for attribute definition space. (18-Jun-07)
[AI] The Group will continue discussion around groupDisplayName on the 2-Jul-07 WG call, after CAMP. (18-Jun-07)
[AI] {Scott} will revise his proposal on MACE-Dir attribute profiles for SAML from 22-Apr and submit a new working draft. (4-Jun-07)
[AI] {Keith} will model (BPMN) common lifecycle of groups, life stages of groups, grace periods, etc., soliciting ideas from the MACE-Dir list. (7-May-07)
[AI] {Brendan} will review archives related to eduAccount and search for interested folks, eventually arranging a call focused on formulating the right questions to target a solution. (26-Mar-07)
[AI] {Keith} will draft a document covering registered MACE entitlement values. (11-Sep-06)

Future *Agenda Topic*
- Decision on revising MACE-Dir defined attribute profile for SAML (18-Jun-07)
* Mikael Linden, who knows about the only production uses of eduCourseMember in a Shibbed environment, does not see a problem with Scott's proposal. See excerpt from Mikael's email below agenda.
- c (country) attribute (c.f. Tom Scavo’s email, 22-Jan-07)
- Coordinating IdP practices around changes in Attribute Release Policy.

*Agenda*
1. Various issues around eduPerson and affiliations
* See MACE-Dir postings over the last week
2. groupDisplayName
* Time for some trial, experimental use to clarify issues?

*Discussion*

{Tom} reported an update on his meeting with {Leif Johansson} at CAMP regarding ongoing activities regarding participation in the NREN/GRID space. {Leif} said he’ll try to figure it out; he is involved with NREN-Grid conversations, but was unsure where they would lead. {Tom} will provide an update later once he has more to report.

-Various issues around eduPerson and affiliations, (c.f. MACE-Dir postings over the last week)-
{Keith} raised discussion around use cases of eduPerson and affiliations, as voiced on the mailing list. As there have been many responses reporting actual use of eduPersonAffiliation, eduPersonScopedAffiliation, and or eduPersonPrimaryAffiliation, {Keith’s} initial response is to not deprecate eduPersonAffiliation. If eduPerson is useful, it should be used; otherwise it should be left alone. The Group needs to clarify why eduPersonPrimaryAffiliation should be used with caution.

{Bob} raised the point about what should be done for access control. Should eduPerson*Affiliation or eduPersonEntitlement be used as an alternative? {Keith} said the most widespread use case is poor access control. Entitlement and affiliation are different; the former represents privileges and the latter represents groups. Affiliation is not appropriate for access control. Is it possible to scope this more narrowly? {Rob} pointed out that there may be reasons for using any attribute, e.g., last name, for access control, not limiting the context.

{Bob} reminded the Group that what one does locally is up to each institution; if they are trying to establish practice, the ‘scope’ may point more to the context of federation. {Etan} saw a need to define what the values mean, then leave to the resource providers what they will use for access control.

The real question of this discussion is whether or not to deprecate eduPerson*Affiliation. No one on the call expressed strong opinions for deprecation. If the Group feels it should not be deprecated, the next steps are to decide what to do within the existing framework and how to firm up definitions. It will be better to make recommendations, rather than simply putting anything out there that anyone would use.

{Brendan} said that even if an attribute has purpose, the decision has been that if it is useful to share, then eduPerson is a good place for it.

[AI] {Keith} will send out a question about use of eduPersonEntitlement to EDUCAUSE-IdM, SCHAC, MACE-Directory lists.

The next MACE-Dir Working Group call will be held on Monday, July 16, 2007 at 4:30pm EDT.