**MACE-Dir Call 21-March-2011**

 

**Attending**

Keith Hazelton, U. Wisconsin - Madison (co-chair)

Brendan Bellina, USC (co-chair)

Scott Cantor, The Ohio State U.

RL "Bob" Morgan, U. Washington

Mark Scheible, NC State U.

Benn Oshrin, Internet2

Todd Piket, MNSCU

Ann West, Internet2

Mark Jones, UT-Houston TMC

Will Schneider, UT-Houston TMC

Bill Weems, UT-Houston TMC

Steve Olshansky, Internet2 (scribe)

 

**Next two calls:

In two weeks: April 4, 2011: Access Code: 0179884# at 11:00 am EDT (GMT-4)
In four weeks: April 18, 2011: Access Code: 0169152# at 5:00 pm EDT (GMT-4)

**New Action Items**

 

**Carryover Action Items**

[AI] (Keith) will issue a last call for eduPerson edits, beyond EPTID revisions, for inclusion in a forthcoming revision.

 

[AI] (Keith) will develop a Bamboo use case for persistent identifiers.

 

DavidB will revise the Non-Authoritative Sources Survey

 

[AI] (Keith) will write up the current state of the identifier discussion and apparent consensus, and associated explanatory material, for use by REFEDs.

 

[AI] (Keith) will edit the previous versions of the SAML Attribute Profiles documents to note that they have been superseded by a newer version.

 

[AI] (RL "Bob") will query the REFEDs list about whether identifier reassignability is an issue for them esp. in grid environments.

 

[AI] (Keith) will take a first pass at revving http://middleware.internet2.edu/dir/docs/internet2-mace-dir-ldap-group-membership-200507.html in the wiki, then run it by the group for comment, with the goal of perhaps finalizing it in the near future.

 

[AI] (Brendan) will poll the mailing list for feedback on the use of name fields, and whether they have had the need to extend eduPerson locally with additional name fields.

 

 

**Discussion**

 

1. Need for identifiers with various properties - e.g. portability, persistence

 

The Challenge of Person Identifiers:

 

- There are legitimate needs to correlate information on one individual across multiple systems

- There are valid personal, custodial and legal concerns about a single, globally unique, permanent, portable and public identifier per individual

- Is there a solution that addresses both the needs and the concerns?

- A single, globally unique, permanent, portable and public identifier meets the need to correlate, but ignores the concerns

- There are methods for selectively linking identifiers with active consent of the individual

- This would meet both needs

- These methods are less convenient for the developers of systems

- Convenience should not trump valid concerns

 

BillW noted that they are dealing with aspects of identity, privacy, ID theft, and authn credentials and identifiers. At UT-H they are obviously focused on healthcare data, including integrity and access controls. Trust in the identity of users is obviously essential in this environment.

 

They are looking at e-mail clients that initially deny all senders unless they have been whitelisted, based upon requirements. How might this be scalable and still protect privacy.

 

Selectively linking identity information with the active consent of the individual would be useful, if a practical means of doing this could be found.

 

There may be analogs in K12 as students move between school districts.

 

At UTH, they have been looking at the ability for RPs to confirm that the same physical person is contacting them, in repeat encounters, even if they have never seen a particular credential previously. This quickly leads them into personal attributes, released only to those with a need to know. With the growing amount of personal information publicly available, this becomes more challenging and more essential. What are those things that users would really like to keep private, and how can this be accomplished while still enabling the desired ease of use?

 

Users are increasingly requesting collaborative systems for use with collaborators at external institutions, which increases the need for reliable identifiers. Determining levels of trust, which in turn drive authz decisions, can be challenging.

 

Authn credential providers are generally also the attribute sources. Splitting these functions is a scenario that is very possible in several environments, e.g. in healthcare multisite studies, which can encompass multiple disparate IRBs -- which must approve individual access requests, and who have difficulty determining the identity of users in a reliable, efficient, and trusted manner. The set of researchers could be in a national registry, in order to facilitate this process. The scenario of defaulting to maximum privacy is not always appropriate.

 

Scott noted that no one is assuming that attributes will be sourced from IdPs, but rather they are usually pulled from multiple sources and this can make privacy a challenge. This would be attribute aggregation, but could be accomplished via proxies. Accepting attributes from sources which are not authoritative is relatively common in the wild.

 

Documenting the various use cases envisioned would be useful, for obvious reasons.

 

It was observed that certain online VR environments (e.g. WoW) are now supporting the use of 2-factor authentication (e.g. credit card), although avatars may still be anonymous in their dealings with other users, and only identifiable under subpoena. This model may be extensible into other environments, and reduce the frequency of identity theft...

 

Correlating data about users from multiple sources in order to deduce identity is a growing concern, and in many ways it is as much a policy issue as a technical one.