MACE-Dir Working Group BoF - October 8, 2007

MACE-Dir Working Group BoF
Fall 2007 Internet2 Member Meeting
October 8, 2007

*Attendees*
Keith Hazelton, U. Wisconsin-Madison (chair)
Michael Gettes, Internet2 (co-chair)
Robert Banz, UMBC
Klara Jelinkova, Duke U.
John-Paul Robinson, UAB
Hiroyuki Sato, U. Tokyo
Susan Neitsch, Texas A & M U.
Brendan Bellina, USC
Will Norris, USC
James Cramton, Brown U.
Leif Johansson, Stockholm U.
Brent Putman, Georgetown U.
Roland Hedberg, NORDUnet
Milan Sova, CESNET
Diego Lopez, RedIRIS
Mike Grady, UIUC
Rodney McDuff, AAF/UQ
Lynn McRae, Stanford U.
Tom Barton, U. Chicago
David Bantz, U. Alaska
Alan Brenner, Ithaka
Lisa Haanpaa, Internet2
Jessica Bibbee, Internet2 (scribe)

*Agenda*
1. LOA for authentication: Is it needed? What determines it? How is it expressed?
2. ‘Library-walk-in’ as a new value of eduPerson*Affiliation, explicitly extensible to other physical locations at the licensing institution and to access from campus network.

** For agenda items not covered in the meeting, please refer to: < https://spaces.internet2.edu/display/macedir/Future+List >.

*Discussion*

-LOA for authentication: Is it needed? What determines it? How is it expressed?-
{Keith} summarized the issues surrounding level of assurance, particularly in light of the recent NIH pilot. There are still many issues regarding an assurance that the provided credential is indeed by presented by the named entity: What is the best way to represent level of assurance, i.e., in a single Identity Management infrastructure? What measure of identity proofing and improvements in the security space ought to be established? Who makes the final determinations? Where is it important to reach consensus, and where is fracture acceptable, in terms of moving the work forward?

{Keith} heard from the attendees that the majority expects their Identity Management infrastructure to deal with wide range of level of assurance. {Klara} mentioned that there is an explosion of affiliates on campus, as members of a students’ family also wish to receive services requiring netIDs, but users are reluctant to provide the required SSN.

{John-Paul} asked whether there was an assumption to put all users in the same directory system, or whether there would be a need to have different level of identity that would be understood by different systems. Is there a need to simply identify, or would a central place need to associate how the levels are identified? Not all Identity Provider would have a high level of assurance.

{Scott} offered a use case, where the physical ID is irrelevant. In essence, some services care less about who they are servicing, and more that the service is being paid for, adequately. There may be a level of assurance partition between applications, where it is not dependent on the type of person. {Klara} pointed out that while it may operate best from a single directory, there may not be matching institution support. An important element is for application owners to reach agreement, regarding the campus approach.

{Michael} saw the main issue as a matter of how many levels of assurance there will or should be. Other decisions are political decisions, i.e., whether one or more directories are used or how many Identity Providers.

{Rob} asked about the best way to begin representing level of assurance – by following NIST rules? For example, how would one handle a situation where a user makes too many attempts to guess a password according to NIST guidelines, though it falls within an acceptable range, as determined locally. Here is an opportunity to educate all on the impact at the institution level, though it may not be affected by a particular system.

The Group shared several ideas and varying perspectives on a best approach. There was a suggestion to document these ideas in the MACE-Dir wiki, for reworking as needed, until consensus is reached. Where does InCommon policy apply in this space? A conversation with the NIST folks may also shed light on these specific concerns. {Rodney} said that in Australia, NIST is the only one attempting to provide a metric for the difference between password authority and certificate authentication.

{Leif} expressed a need to expose multiple vocabularies, which accurately describes real world activity. Others questioned whether it would be wise to expose those that were not deemed a good representation.

Another way to separate the issues is to view aspects as they relate to the Service Provider or Identity Provider. This carries concerns that are not new in the authorization space.

The NIH pilot will continue to drive this work.

2. ‘Library-walk-in’ as a new value of eduPerson*Affiliation, explicitly extensible to other physical locations at the licensing institution and to access from campus network.-
There has been much discussion in the last month regarding the new ‘library-walk-in’ vocabulary. {Keith} gave a brief summary, stating that that eduPersonEntitlement has proved inadequate in a case of a large Identity Provider in the UK. Existing values did not account for the case of the library-walk-in, who e.g., may not be a part of their database, and the ‘library-walk-in’ term was created. However, this term does not cover those in the IP space, so still leaves room for confusion.

{Scott} pointed out that if the Group fails to provide adequate coverage for real world usage, people will do as they need – leading to inaccurate usage of existing terms, such as ‘member’.

The danger of scoping everything is that there is no limit as to the extent of this space. {Scott} stated that continually adding affiliation values will be a slippery slope - uphill. {Brendan} suggested that they instead take the path of ‘how’ to scope things, as opposed to simply ‘what’ should be scoped.

The next MACE-Dir Working Group call will be held on Monday, October 22, 2007 at 4:30pm EDT.