MACE-Dir call - September 24, 2007

MACE-Dir WG call
September 24, 2007

*Participants*
Keith Hazelton, U. Wisconsin-Madison (chair)
Etan Weintraub, Johns Hopkins U.
RL “Bob” Morgan, U. Washington
Tom Barton, U. Chicago
Will Norris, USC
Brendan Bellina, USC
Michael Gettes, Internet2
Lisa Haanpaa, Internet2
Nate Klingenstein, Internet2
Steve Olshansky, Internet2
Jessica Bibbee, Internet2 (scribe)

Carry-over *Action Items*
[AI] {Scott} will revise the pilot proposal to add an entry for attribute definition space. (18-Jun-07)

*Agenda*
1. Status of review of proposal to add "library-walk-in" to eP*Affiliation controlled vocabulary
* Expressing licensed resource eligibility via an affiliation < https://spaces.internet2.edu/x/2xI >
2. Expressing level of assurance in InCommon - NIH pilots
* NIH Pilot Notes on Levels of Assurance < https://spaces.internet2.edu/x/EBQ >
3. Use case: A number of campuses outsource the running of their Shibboleth IdP to a single entity; What are the gotchas? Fixes?

*Discussion*

- Status of review of proposal to add "library-walk-in" to eP*Affiliation controlled vocabulary-
* Expressing licensed resource eligibility via an affiliation < https://spaces.internet2.edu/x/2xI >

The Group discussed the pros and cons of using the term ‘library walk-in’ and whether it adequately conveyed the intended meaning. As ‘library walk-in’ suggests a phys presence of the user in the actual library, there was concern about people using library kiosks, etc., who were not actually in the library building. There were suggestions of other terms to satisfy these cases, but in the end, language written into the contracts –by librarians, etc.- suggested that ‘library walk-in’ was still the best fit. After the call, {Keith} responded to the mailing list (c.f. 24-Sep thread, subject: Request for Comment on proposed change to eduPerson), withdrawing his proposal to use the term “library-guest”.

-Expressing level of assurance in InCommon - NIH pilots-
* NIH Pilot Notes on Levels of Assurance < https://spaces.internet2.edu/x/EBQ >

The Group discussed the real world scenario of a single Identity Management infrastructure containing users and accounts at different levels of assurance. {Scott Cantor} had commented that the best way will still follow best practice – good practice. {Keith} wanted to hear from the Group whether there is sufficient common practice to suggest that one level of assurance is in fact a reality, and furthermore how to do it. The Group quickly confirmed that this was what was desired. Is it an item that the MACE-Dir Working Group wants to work on? {Bob} said that its existence in use would imply a decision of the architecture one way or the other. There was a suggestion to tighten up the language around level of assurance and suggest attribute names. It should state clearly that Level of Assurance is only as strong as the weakest link.

The Group discussed the NIST 800-63 publication and whether it covers all known issues or if there needs to be compensatory work. For example, how is level of assurance impacted at a the federation level? {Keith} suggested defining schemas from a MACE-Dir point of view, and see how much time is spent mapping policy. {Keith} said he would revise and remove the NIST references from the document and propose a general structure of the values.

-Use case: A number of campuses outsource the running of their Shibboleth IdP to a single entity; What are the gotchas? Fixes?-
{Keith} briefly raised some of the issues around using eduPersonScopedEntitlement. As it may not be useful to some campuses, other attempts have and will surface, such as “library walk-in”. Rather than push for the adoption of eduPersonScopedEntitlement, h e suggested that the group better defines the exact problem they are trying to solve. This discussion will resume on the mailing list.

-Upcoming I2 Member meeting-
The Fall 2007 Internet2 Member Meeting will be held on October 8-11 in San Diego, California. All are invited to join the Directories BoF Monday morning, 8-Oct. For more details, see < http://events.internet2.edu/2007/fall-mm/sessionDetails.cfm?session=3470&event=273 >.

The next MACE-Dir Working Group call will be cancelled due to an overlap with the Internet2 Member Meeting. Therefore, the following MACE-Directory Working Group call will be held on Monday, October 22, 2007 at 4:30pm EDT.