MACE-Dir Call 25-Feb-08

**Attending**
Brendan Bellina, USC (acting chair)
Tim Crouch, U. Texas - Tyler
Tom Scavo, NCSA
Tom Barton, U. Chicago
Ann West, Educause/Internet2
Paul Hill, MIT
Steve Olshansky, Internet2 (scribe)

Note: Keith is on leave, and Brendan will be serving as acting chair pending his return.

**Carry-over Action Items**
[AI] {Bill Weems} will share a whitepaper addressing global Identity Management.
[AI] {Keith} will craft a survey question to understand what is going on within the eduCourse space in the real world, as it pertains to Section, and share with relevant mailing lists. (22-Oct-07)

**Discussion**
What do SPs and IdPs need to communicate about properties of identifiers?
Please reference the discussion on the MACE-Dir WG mailing list, beginning with
the thread (subject: how to express a LOA/IAP) on 16-Nov-2007

What about the case in which a user is at different LOAs for different SPs?
Should this be split into 2 attributes? Or more than 2? Is one sufficient, at least as a start? Does each attribute need its own assurance qualifier? Is a higher LoA by definition downward compatible, as far as SPs go?

Would one LoA be assigned to all users from an IdP? Likely not, probably one LoA for a majority of users with a subset having a higher or lower LoA…

Is the IdP smart enough to know to release a particular LoA on a per-application basis, or is this even important?

Note that InCommon is working on “Bronze” and “Silver” LoA levels, which very roughly correspond to NIST 800-63 levels one and two.
http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf

*eduCourse and isMemberOf*
UT-Tyler is interested in using this for their Blackboard implementation, and dynamic group population for other applications.

Are the multi-valued role types defined in eduCourseOffering and eduCourseMember sufficient for use in the real world, or do many campuses need to expand or modify?

*Virtual Organizations*
VOMS (Virtual Organization Membership Service) need some URNs defined for the purpose of expressing group membership. See mails to the list 7-Feb and 25-Feb (subject “SAML V2.0 Attribute Profile for VOs”). SAML support is being added to VOMS, which is one of the drivers for this. How can group information be expressed in a SAML assertion, v. X.509 attribute certs?

isMemberOf seems to be a good fit for their needs, given its lack of constraints on the value space, but the particular values need to be worked out. What is the best approach for standardizing the attribute values?

In naming in general, and in naming groups in particular, it is helpful to align names with attributes. The clear delegation of naming authority which is implied by a URN namespace is a good thing, and among other things avoids overloading.

Scope may be important in this context, in the sense of referencing the source of authority for the attribute assertion v. the semantics of the meaning of the assertion..

Next call will be 10-March-2008 4:30 ET.