*MACE-WebISO Conference Call* October 16, 2001 *Participants* Nathan Dors -- Washington(chair) Steven Carmody -- Brown Tom Dopirak -- CMU Jim Farmer -- JA-SIG Renee Frost -- Michigan/Internet2 Scott Fullerton -- Wisconsin Michael Gettes -- Georgetown Paul Hill -- MIT Bob Morgan -- Washington Ryan Muldoon -- Wisconsin Russ Tokuyama -- Hawaii Steve Willey -- Washington Ellen Vaughan -- Internet2 Nate Klingenstein -- Internet2(scribe) *Discussion* Business Items / Miscellany Russ Tokuyama has a demonstration site of Pubcookie up and running at the University of Hawaii, and has plans to use this internally for training, testing, and similar uses. His efforts to implement the ISAPI Pubcookie filter met with only marginal success. Several modifications to the installation procedure by Russ yielded greater success, and prompted the group to discuss the maintenance of a "contributions" part of the Pubcookie distribution. A contrib file usually consists of useful plugins; it would be harder to maintain code changes to the main source in a contrib file, since these are generally either integrated with the source or not. Eventually, the files in a Pubcookie contrib file would either be merged with the main code base or phased out. [AI] Ryan's action item was reworded to proceed with work on the requirements document, as it has been posted by Nathan. Also for website maintenance, [AI] Nathan agreed to add a link to the MACE-WebISO message archives from the main project page. [AI] Russ will continue to work on implementing Pubcookie as a security provider for the uPortal framework. The University of Washington contingent wanted to point out that a feature of Pubcookie which many may not have appreciated or looked at is that Pubcookie supports multiple authentication types which the application can request. This is coded such that an N number of potential types can be requested and handled separately by the backend. This has proven very useful in the local Washington implementation for getting other campus fiefdoms to adopt the central authentication system. Tom and Nathan have considered development of a white paper to help people understand the Pubcookie model better. This document would have an abstract introduction of the design and discuss the software without going into the details of the implementation. This would both serve to help the less technically-oriented and would be more persistent even as the implementational and operational details of Pubcookie shifted over time. This would include a high-level discussion of why an SSO system is more secure than having each application log on users individually. Logout One of the greatest challenges faced by any ISO/SSO system is management of logouts. This is difficult because there are many independent applications which the user might be logged into, and the ISO/SSO system has to provide session management. Many applications are accustomed to being able to define their own sessions, prompt for a username/password whenever it is deemed necessary. Control and proper use of logout can become a primarily API question, where the application needs to be aware of the SSO system and how to log itself out appropriately. Microsoft's Passport service is renowned for its ability to log a user out of all connected sessions simultaneously. Pubcookie doesn't currently have a logout function for the reason of limiting the complexity presented to the user. The group wasn't certain that provision for a global logout rather than timeout is necessarily a desirable trait. It was even cloudier whether providing a mass-logout with Pubcookie would even be possible, because the login server can't kill session cookies with which it has no association; the application must do this. Passport cycles the user's browser through each open application to log out and destroy the cookie sequentially through each. This requires a degree of application compliance which is difficult to mandate. An interesting idea concerning level-based logout was suggested. In this scheme, each application would be assigned a level. A user would have the choice of logging out of an entire level rather than trying to log out of a single session or out of an entire session. This idea was decided against by the group in favour of presenting a simpler face to users, however. The simplicity also applies to sysadmins; a large number of bells, whistles, and options leads to a large number of login pages and large amount of complexity for the university to maintain. Adding an ability for the user to be able to choose the duration of the initial login might be another way to handle the session management difficulties in a simpler method. [AI] Some language describing the necessity of handling logouts will be added to the requirements document. Security Requirements MIT wrote up a comprehensive description of the security requirements for any possible web-based sign-on systems, which defined many of the potential vulnerabilities in the area. The group envisioned writing a document that served more to justify the direction in which it proceeded in light of its security requirements and its decisions rather than providing a broad survey of the landscape. There are several important security decisions which could be reflected in this document. A small discussion of the N-tier issues in any SSO system would merit inclusion along with a pointer to a deeper reference on the topic; this could include a recommendation over how the middle tier is supposed to communicate with Pubcookie-ware applications. Many of the solutions that would be included in this document would depend on the implemented security architecture, as well. [AI] Shawn Bayern of Yale would be asked to elaborate somewhat on how the N-tier problems could be addressed, specifically as an API. There are several other aspects of the security architecture which could be explored. Currently, when a user authenticates to Pubcookie through the chosen method, only a boolean is returned. The group pondered whether this was a sufficient return, or whether a broader and fuller API was important to define. [AI] Russell agreed to consider this question further. *Action Items* 1. Ryan will continue work on the requirements document, adding language describing how logouts should work with WebISO systems. 2. Nathan will add a link to the WebISO message archives to the front page. 3. Russ will continue to work on implementing Pubcookie as a security provider for the uPortal framework. 4. Shawn Bayern of Yale would be asked to elaborate somewhat on how the N-tier problems could be addressed. 5. Russell will consider further whether a true/false return from an authentication method for Pubcookie is sufficient.