Contacts: David Groep (Nikhef) and Dave Kelsey (UKRI)

Starts: M1 - Ends: M24

Updates to the Blueprint Architecture require an evolution of associated policies and good practices for Research Infrastructure proxies and for the community organisation and identity assurance in the infrastructure. For the alignment of Research Infrastructure proxies, as concentrator points of services and data, we will

  • address information security for disciplines and infrastructures - some of which process sensitive data,

  • minimise the number of divergent policies and empower identity providers, service providers and user communities to rely on interoperable policies, and

  • provide reference models for acceptable use policy and privacy notice collection to improve cross-infrastructure user experience (since then users only need to click once).

To make federation more accessible to user communities, we analyse policy inconsistencies via FIM4R and:

  • provide a revised policy development kit for mid-sized communities using the research infrastructures,

  • provide guidelines on cross-sectoral trust in novel federated access models,

  • investigate researcher assurance through eID wallets and public (eIDAS) identity assurances.

Please note that the work in this WP continues in the existing channels: namely the policy list, FIM4R and IGTF

Coordination calls

There are monthly Policy Coordination Calls, currently supported by AARC TREE and the global community. You can of course review the notes at https://sharemd.nikhef.nl/s/gfrboBQm-, but are also warmly invoted to join the calls on the 3rd Monday of the month. You can find the call details at https://indico.nikhef.nl/category/101/



Tasks

Task 1: Research-infrastructure alignment and policy harmonisation (M1-M18)

  • The Operational Trust framework for Community and Infrastructure BPA Proxies (effort required 9 PM) provides the mechanisms by which Research Infrastructures can engage with the global identity federations by demonstrating their trust baseline and data protection. We will provide the trust- and information security guidelines for both the infrastructure ‘membership management’ and ‘proxy’ (aggregator) components in the Architecture beyond the current ‘Sirtfi’ baseline, created together with the current infrastructure proxies and sectoral provider federations and the research infrastructures(using FIM4R and the WISE information security community forums). The guidelines will become part of the revised Policy Development Kit. The result is a lower barrier to the integration of new research infrastructures and the incumbent (ESFRI) cluster proxies in eduGAIN and EOSC federations.

  • Besides the BPA proxy itself being a trusted party in federations, the responsible infrastructures themselves also need a framework to ensure their proxied services are properly handling data - so that they can participate in federation with confidence. The evolution and implementation of ‘Snctfi’ Scalable Negotiator for a Community Trust Framework in Federated Infrastructures (effort required: 4PM) increases acceptance of research infrastructure proxies. This eases the flow of identity and attributes from eduGAIN, leading to a more effective research services landscape.

  • Users increasingly have to wade through consent and information screens while on the other hand, the proxies struggle with how to present information from large numbers of distinct services in a coherent and the required ‘understandable manner’ to the user. We will review infrastructure models for coordinated presentation and aggregation of ‘acceptable use policies’ and privacy notices , improving cross-infrastructure user experience (effort required: 8PM). This will result in recommendations on aligning presentations by proxies and presented to AEGIS for adoption by the proxy operators. The expected outcome is increased adoption of the ‘WISE Baseline AUP’, good-practice privacy notices, and fewer user clicks when accessing research resources.

Task 2: User-centric trust alignment and policy harmonisation(M6-M24)

  • Augment the Policy Development Kit with lightweight community policy templates (required effort: 6 PM) to enable federated access management for small to mid-sized research groups to research infrastructures. Not having the resources or expertise to maintain their own complex policy suite, we support them through templates and implementation guidance (FAQs) on community structuring, and integration with research infrastructure community AAIs across thematic areas. Analysis of the community minimum viable policy is based on the FIM4R requirements and the policies will ease access to services that require identity assurance and traceability of resource use.

  • New guidelines on cross-sectoral trust in novel federated access models (effort required: 8 PM) support communities that leverage modern (‘OpenID Connect Federation’ and token-based) federated technologies, using protocols originally devised for just bilateral (‘login with big tech’) trust. These guidelines enable increased trust in multi-domain scenarios and improve security in case of identity compromise and cyberattacks for federated research services, which are today encumbered by the widely-varying implementation of trust validity periods, implicitly assumed risk acceptance by federation peers, and inconsistencies. The guidelines will acknowledge the diverse requirements for researcher identity privacy vs. functional requirements (opaque user data vs. self-containment) on (OAuth2) token validity, scoping, validation, and privacy preservation.

  • Increased assurance in research services through eID identity assertions (effort required: 8 PM) has proven hard to obtain from home identity providers in the R&E sector. It is more readily available in the European government identity ecosystem, and we will provide an assessment of its applicability for users of research infrastructures dealing with sensitive data through the proxies in the revised AARC BPA model. Step-up to at least a substantial level could then be done at “home” through the user’s national eID scheme. If suitability is confirmed, guidelines will be provided via AEGIS.

  • To ensure anchoring of user-oriented policies in the research communities, they are developed via a co-creation process through the FIM4R research communities forum, reviewing the restructured policy development kit and proxy trust framework, together with the new AARC Blueprint Architecture (required effort: 4 PM). This ensures the cross-sectoral use of recommended best practices as well as the global adoption of the European model in collaborating infrastructures. Through joint workshops with WP3 (use cases), we ensure the stakeholder community (research and e-Infrastructures, ESFRI clusters, and nationally-structuring research communities) closes the trust and policy gaps using the joint policy development kit also for large structured communities across the thematic areas represented in FIM4R.

  • No labels