FOO Conference Call March, 19, 2003

*FOO Conference Call*
March 19, 2003

*Participants*

Ken Klingenstein -- University of Colorado/Internet2(chair)
Peter Alterman -- NIH & Federal PKI Steering Committee
Steven Carmody -- Brown University
Brendan Dixon -- Microsoft
Renee Frost -- University of Michigan/Internet2
Michael Gettes -- Duke University
Ingrid Melve -- UNINETT
Bob Morgan -- University of Washington
David Wasley -- University of California Office of the President
Nate Klingenstein -- Internet2 (scribe)

*Discussion*

Granularity of Privacy
One aspect of transactions between realms that many federations have made an effort to protect is the conservation of user information, expressed in terms such as least-privilege and attribute release policies. Such rules usually handle the release of information on a relatively atomic basis, such as attribute by attribute. While this is useful for the technology, there is some concern that it may be difficult for users to express levels of protection at that level. Things become vastly more complex when both the origin and target in any given transaction hold more than one federation in common.

Ingrid pointed out that there is an outstanding challenge in describing the combination of attributes and services in a meaningful way. Building a set of default policies and preferences may be very difficult, although discussion at the Internet2 Spring Member Meeting saw consideration of the idea of a privacy slider to govern attribute release, among other ideas.
This would be particularly difficult to manage in a more open-ended, loose federation. The group observed that, under P3P, sites can specify their encodings almost arbitrarily since there is no organization officially tasked with verification of P3P settings. There are a number of places where this could be technically collected, but there is an essential policy issue of ensuring that targets appropriately describe themselves. Brendan pointed out that, "if you only trust site A because site B says so, then you're going to site A through site B in a sense."

Federation Indemnification
The biggest model cited in the group's discussions of indemnification is that of credit card companies, where there are many merchants(targets), cardholders(origins), and some sort of a governing body for the federation(Visa). However, it is also unclear how often organizations in a federation would indemnify others.

There are limitations to this model, because it deals largely with transactions between single tiers; because individuals are origins, there is no concept of "user from the origin site." Peter observed that there may be an eventual need for at least two levels of indemnification: between the origin and the user and between the origin and the target. There was an open question about whether the organization facilitating the federation itself would be able to, in Michael's words, "step to the side and claim it's harmless."

Liabilities may not be limited to financial exposure, and it's almost certain that some sort of understanding of liability and indemnification needs to be in place for federations to form. Losses of privacy and other sorts of damage will still need to be spelled out and accounted for. As a closing comment, Peter said, "this whole discussion kicks everything out of technology into the land of lawyers," which is something the group should be aware of as it proceeds.

For more examples to work from, [AI] Ken offered to understand how liability is handled in agreements with Abilene & Internet2 membership and whether there is any sort of extension to that model. [AI] He also wanted to look at common acceptible use policies that people sign with institutions, and whether attribute release liability there could be addressed with an expression of due diligence and the best intentions.

Miscellany
Integration of PKI with SAML-style assertions for federated communications seems to be one of the deeper threads running through the problem space. The group observed that one of the biggest problem is making sense of the LoA offered by a compound assertion. The only solution presently available is populating the AuthenticationMethod element of SAML with a URI describing the level of assurance and PKI, rather than x.509's traditional OID's. This offers relatively little ability to describe the intricacies of CP's and CPS's, and it is unclear what a relying party would be able to make of the URI.

*Action Items*
1. Ken offered to understand how liability is handled in agreements with Abilene & Internet2 membership and whether there is any sort of extension to that model.

2. Ken will look look at common acceptible use policies that people sign with institutions, and whether attribute release liability there could be addressed with an expression of due diligence and the best intentions.