*Attendees*
Steve Olshansky, Internet2
Keith Hazelton, U. Wisconsin
Dave Damassa, Tufts
Bill Gordon, U. Cincinnati
Renee Frost, Internet2
Morgan Passiment, AAMC

*Discussion*
Tufts has applied for an NLM grant for additional development for TUSK. The Shibbification of TUSK will proceed when Shibboleth 1.0 is released.

Shib 1.0 should be ready for release next week. Support for Apache on Win2K will not be in 1.0 but should be out before the end of June.

Bill shared that U. Cincinnati has been awarded a four-year NLM Integrated Advanced Information Management System (IAIMS) grant. NLM wants you to integrate your computer systems to accomplish education, research, clinical practices, and training and show that the way you've done it can be extended to other institutions. On the e-courses web site they use an identity management system with an integrated database to provide training to students, staff, and other institutions. They are working on the priorities list and once it's finished they'll be able to better establish the timing of Shib and other projects.

AAMC identifiers. There is interest in AAMC in developing an application interface if there is an institution willing to work on it with them. A call will be set up to discuss a possible statement of work.

Internet2 fall meeting: Bill will be there and can talk about the Cincinnati pilot; a Tufts representative will talk about TUSK. Morgan will check to see someone from AAMC can attend and perhaps talk about the identifiers. Steve will submit a proposal for a medical middleware panel for the meeting.

Federations
The issues around federations are in the air because of Grid, Shib 1.0 and medical middleware. Why federations come up is because the normal way memos of understanding work is bilateral. More informal one-on-one negotiation of trust is fine for pilots but not for larger scale production. A federation scales that. It has a statement for how federation members will do things. By signing up you're agreeing to the rules. Once you're in you have some notion of the amount of risk you're exposing your resources to by letting people access them through Shib or anything else without relying on one-to-one negotiation. There will be federations that federate with each other.

Within the U.S. the medical space has enough differentiating factors to make a good case for a medical federation for the academic environment. The shape could be one of many. A lot of agreements are bilateral and don't scale well, so trying to negotiate a common baseline trust model that will serve all needs will be hard to do and may fall into some sub-federations based on trust requirements, for example HIPAA.

There will be different levels of assurance and policy around security. Some situations will be very complex. One situation is: You have data that you want protected if it's identifiable (associated with a person), but doesn't need to be protected if it's de-identified and will be used for teaching or research. A second situation is: A lot of the pathology data analyses for a hospital may be done at the university, which means there may be no clear lines of demarcation. From an academic medical school point of view they live in both the university and the affiliate hospitals world, which have different assurance level needs. They can join whatever federation their university is in for moderate or lower assurance. It's unclear if a moderate level medical federation will provide as much benefit as a higher assurance level one. There are also issues for validation and auditing -- what are the criteria, who's doing it, is it internal or external, etc.

The federation discussion will continue via the list to allow additional input/discussion.

The next call is Thursday June 26, 2003.

Action Items

[AI] SteveO will submit a MedMid session proposal for the Internet2 Fall Member Meeting
[AI] SteveO will arrange a follow-up call with AAMC and preliminary participants to discuss next steps on the identifiers issue