eduGAIN Futures Working Group Charter

The final version of the White Paper can be found here.

1.1 Membership

The eduGAIN Futures Group membership is open to:

Any staff member of an eduGAIN Identity Federation.
Members of the eduGAIN Service staff, including eduGAIN Security Team, Operational Team, Support Team and Secretariat.
Recognised stakeholders from the wider eduGAIN community that are accepted by the group.

Members must be able to commit to attending eduGAIN Futures Working Group meetings on a regular basis, providing input to the eduGAIN Futures Working Group deliverables and support the implementation of the proposals developed in national federations and eduGAIN.

1.2 Goals

To review the REFEDS Baseline Expectations document and make proposals for changes to eduGAIN to support the baseline.
To identify key issues with current eduGAIN service provision and make recommendations for improvements (e.g. support mechanisms for CoCo and R&S, lack of service offer to Service Providers, technology support for OIDC etc).
To review the governance model for eduGAIN and make recommendations for improvements.
To cross-reference proposals with other working groups and the eduGAIN service teams.

Out of scope:

Direct policy revision - this work will be carried out based on the recommendations of this group.

1.3 Timeframe

It is expected the eduGAIN Futures Working Group will start work in November 2021 and complete it’s proposals by April 2022. Depending on the recommendations of the group, the timeline may be extended to help support implementation of changes within eduGAIN.

1.4 Support

The Working Group will be supported by the eduGAIN Secretariat. Tools available:

GÉANT wiki for minutes and documentation for the group.
eduGAIN Slack channel: edugain.slack.com.
Working Group mailing list: edugain-futures@lists.geant.org

1.5 Deliverables

The outcome of this group will be a document with a set of recommendations for the relevant eduGAIN teams / community.

Work Items

Goal 1:

To review the REFEDS Baseline Expectations document and make proposals for changes to eduGAIN to support the baseline.

Baseline Requirement	Potential eduGAIN Improvements	Stakeholders	Required Activities
[FO1] You focus on trustworthiness of Federation as a primary objective and are transparent about such efforts	Inability to filter out an entity Lack of updates regarding FO changes (solved by health check? / audit) Inability to take action over CoCo, Sirtfi, R&S violations Governance structure not fit for purpose
[FO2] You publish contact information and respond in a timely fashion to operational issues	Enforce FO security contact Enforce use of non-personal address for "contact" We don't have management contacts Poor response / participation from federations? Do we want to create aliases for each federation? e.g. caf@support.edugain.org? Regular testing of technical contacts as well as security contacts
[FO3] You apply security practices to federation operations and ensure timely incident response	Inability to take actions centrally (In particular any complaint about a Member shall be made to the operator of its Participating Federation and dealt with between that Member and that operator according to the rules of that Participating Federation and subject only to that Participating Federation’s governing law and jurisdiction) Lack of ability of eduGAIN to enact emergency changes and sanctions on entities Suspension correlation to eduGAIN “rules” Security of core eduGAIN infrastructure (MDS, websites etc). Ensure that we define timely for eduGAIN
[FO4] You follow good practices to ensure authentic, accurate and interoperable metadata to enable secure and trustworthy federated transactions	Inability to offer SPs a guaranteed response from specific IdPs - experience of trying to connect is too varied. Some technical checks are informal (e.g. checking the UK import issues list) and not formalised. Too many different tools, lack of one process for checking metadata issues. What is "accurate" what is "interoperable"? is "consistent" part of this? Is it just about metadata? about the protocol messages? Overview of the tools and description of what each does (landing page). Metadata propagation and how we improve
[FO5] You implement and support frameworks that improve trustworthy and scalable use of Federation and promote their adoption by members and other participants	Governance structure not fit for purpose Need to enforce standards like CoCo, R&S, Sirtfi, assurance, MFA and more Assurance? Adoption and promotion mandate
[FO6] You collaborate with other organisations to promote realization of baseline expectations nationally and internationally	Need to implement the baseline first. Continuous work to ensure that compliance is met.

Goal 2:

To identify key issues with current eduGAIN service provision and make recommendations for improvements (e.g. support mechanisms for CoCo and R&S, lack of service offer to Service Providers, technology support for OIDC etc).

Core areas mentioned:

MFA
Assurance
R&S / Personalised Entity Category
CoCo
Sirtfi
Changes to federation models - e.g. eduID.
Missing services - e.g. service catalogue.

Proposed model suggestions from previous discussions:

Goal 3:

To review the governance model for eduGAIN and make recommendations for improvements.

Core areas raised:

Current eduGAIN SG is more of an assembly and is not an effective decision making body.
Current eduGAIN SG is limited to federation operators.
Need for a smaller, elected focused SG?
Need for technical support committee? Reference / advisory groups for other stakeholders?
Need a better way to review and accept new federations.
What does the new model need to achieve? Decision? Oversight? Review?

Goal 4:

To cross-reference proposals with other working groups and the eduGAIN service teams.

References

Slides from eduGAIN session: https://docs.google.com/presentation/d/1UvYpMvjFzKYG1eYjSjIqSKmB6pyTZOeI/edit#slide=id.p1.

Page tree