Signet Conference Call November 12, 2004

Signet Conference Call November 12, 2004
*Action Items*
CarryOver
[AI] {Minh} will develop a list of requirements for how Signet will interface with LDAP and Grouper.
[AI] {Tom, Jennifer and Gary Brown (Bristol)} will discuss the modularity of Signet’s UI and the internationalization of code for Grouper and Signet.
[AI] {Group} will via the list begin compiling scenarios to be used as potential use cases.
[AI] {Keith} will summarize the naming discussion and make proposals to begin defining privilege, task, function, etc.
[AI] {Chris} will contact Minh to discuss the technology managing the user experience within Signet.
[AI] {Minh} will contact Shibboleth developers to discuss UI technology management.
[AI] {Lynn} will write up a person and function summary to express the relationship of privileges to roles and to determine what gets expressed in the eduPerson entitlement space.

*Participants*
Minh Nguyen, Stanford (stand in chair)
Andy Cohen, Stanford
Howard Stearns, University of Wisconsin - Madison
Tom Barton, University of Chicago
Steve Carmody, Brown
Keith Hazelton, University of Wisconsin – Madison
Terrie Clark, Internet2 (scribe)
Renee Frost, Internet2
Steve Olshansky, Internet2
Ann West EDUCAUSE/Internet2

*Discussion*
The online demo for Signet is functional. Changes to the demo may be made based on input from users. Any issues with, or comments about, the demo should be sent to the Signet WG via the list.

The group discussed privacy and security requirements for Signet. The group discussed making information about privileges granted to others available to all Signet users, available to a few Signet users or not available to Signet users. In the case of making others’ privileges visible to all Signet users, it was discussed that a Signet user might want to know who has what privilege(s) and how to contact that individual. Conversely, the individual with the privilege (per university requirement) might require anonymity/privacy. An anonymous contact method was suggested as a possible solution in that case. Or, can a privilege definition include viewing privileges of other individuals? The current Stanford system restricts access to the system via group memberships. Privilege groups include faculty, staff and students. The future Signet should be able to define rules about who can see what privileges have been granted.

All people with authority or part of an authority can declare who can see the privileges granted under that authority. Will Signet restrict this? If so, how? By level? What will be the default? Will privilege viewing be part of an assignment? These issues will vary based on the cultural practices of institutions. There will be differing requirements for granting, viewing and editing privileges. Can the rule be applied at the subsystem level? Or, is it an individual assignment that the grantor assigns that certain privileges can be viewed? In the case of auditors Signet should have a unique privilege to view all privileges. This issue will present itself again once Signet is deployed into the VO space.

In considering VOs, how will Signet provide the ability to grant a privilege to an individual whose identity is provided from an outside domain? Does Shibboleth provide a solution? Or, can this be accomplished through an enterprise Signet? This is a good argument for not doing identity based privilege assignment, and assigning privileges by Grouper role. This topic requires more discussion.

Since the next regularly scheduled call occurs the day after the US holiday of Thanksgiving, the next call will be held on Friday, December 10, 2004 at 11:00AM ET.