eduGAIN Steering Group Meeting
23rd March 2021 12:00 UTC / 13:00 Amsterdam: In your time zone
Arrival & "Can you hear me now?" (see eduGAIN SG - 2021 March#Connection Details)
Welcome, Introductions & Agenda Agreement
|Terry Smith, AAF, Chair|
Membership Updates and Joining
|Casper Dreef, Secretariat|
|Davide Vaghetti, IDEM, Service owner|
Team updates: Security team
Nicole Harris, GÉANT
Future SG meetings, Any other business, Summary and Actions
Meeting ID: 659 3425 9919
Join Zoom Meeting (Zoom client): https://geant.zoom.us/j/65934259919
- Join Zoom Meeting (Browser) https://geant.zoom.us/wc/join/65934259919
- Password is shared in the meeting invitation
One tap mobile
+442034815237,,65934259919#,,1#,108532# United Kingdom
+442034815240,,65934259919#,,1#,108532# United Kingdom
Find your local number: https://geant.zoom.us/u/cdf6Rmjelt
Join by H.323
- NB: The meeting will be recorded to assist with note taking.
Federations in Attendance (24)
- Australian Access Federation (AAF) - Australia
- SWAMID - Sweden
- UK federation - United Kingdom
- LEAF - Moldova
- PIONIER.id - Poland
- RiçercaNET Identity Federation - Malta
- RCTSaai - Portugal
- GRNET - Greece
- WAYF - Denmark & Iceland
- IDEM - Italy
- SWITCHaai - Switzerland
- eduId.hu - Hungary
- eduID.cz - Czech Republic
- HAKA - Finland
- AAI@EduHR - Croatia
- Sifulan - Malaysia
- Fédération Éducation-Recherche (FER) - France
- RIF - Uganda
- Canadian Access Federation (CAF) - Canada
- SIR - Spain
- CAFe - Brazil
- InCommon - United States
- TAAT - Estonia
- safeID - Slovakia
- Terry Smith (AAF)
- Pål Axelsson (SWAMID)
- Alex Stuart (UK federation)
- Valentin Pocotilenco (LEAF)
- Casper Dreef (GÉANT)
- Tomasz Wolniewicz (PIONIER.id)
- Daniel Muscat (RiçerkaNET Identity Federation)
- Esmeralda Pires (RCTSaai)
- Zenon Moumoulas (GRNET)
- Mads Freek Petersen (WAYF)
- Davide Vaghetti (IDEM)
- Thomas Bärecke (SWITCHaai)
- Attila Laszlo (eduId.hu)
- Jiri Borik (eduID.cz)
- Lukas Hämmerle (SWITCHaai)
- Maja Gorecka-Wolniewicz (PIONIER.id)
- Jani Heikkinen (HAKA)
- Mirolav Milinovic (AAI@EduHR)
- Nicole Harris (GÉANT)
- Anass Chabli (Fédération Éducation-Recherche)
- Derrick Ssemanda (RIF)
- Chris Pillips (Canadian Access Federation)
- Aristos Anastasiou (CyNet Identity Federation)
- José Manuel Macías (SIR)
- Jean Carlo Faustino (CAFe)
- Ann West (InCommon)
- Licia Florio (GÉANT)
- Halil Adem (GRNET)
- Sten Aus (TAAT)
- Hellen Nakawungu (RIF)
- Mario Reale (GÉANT)
- Martin Stanislav (safeID)
- Nicole Roy (InCommon)
- Marina Adomeit
- Wolfgang Pempe (DFN-AAI)
Welcome, Introductions & Agenda Agreement
The eduGAIN Secretariat has created a proposal that will be made available for consultation. Casper will share this with the eduGAIN SG mailing list and seek further information and consultation on the proposal. Action remains open.
eduGAIN Secretariat to write a proposal for a yearly audit process for eduGAIN federation details: https://docs.google.com/document/d/1G691ohEBW27GlnBN55iO7DdqxOpoqsz2xJArijmn9QQ/edit?usp=sharing
Membership Updates and Joining
The issues with the KRENA federation were resolved with help from the GÉANT Partner Relations team. This shows the suspension process is working as intended.
We’ve had very little feedback from the community so do not feel that it is possible to move forward with voting at this stage. All eduGAIN SG members are encouraged to review the documentation. We’d appreciate feedback even if this is just a quick “documentation all looks good”.
We are expecting new applications from the following federations over the next few months:
The certificate for the production metadata feed for eduGAIN will need updating. A recommendation has been received from the community not to change the url based on this change. The OT is happy to accept this proposal.
A key signing ceremony including pushing private key information to an HSM will be undertaken by the OT. There is no perceived threat to service delivery as the process has been fully tested previously and the process / technology works as the spec intends.
Question: will the fingerprint change? Yes, the fingerprint of the certificate will be different. The signature on the metadata will remain the same.
Question: why is the OT using short-lived validation period for the certificate?
Newly signed metadata will be made available on 29th March 2021 - we need to make sure the time this work is done is respectful of timezones. We also need to make sure that new federations are fully aware of the process.
Chris Phillips suggested also sending the information to the security contacts list. Tomasz W does not think there are any specific security implications for this process, however Chris felt this was still an operational change that might be valid for the security contacts to know.
- OT to send an information email to the security contacts
- Secretariat to create a mailing list from the eduGAIN security contacts
No notable updates - support tickets are very low.
7 federations are now providing data for the f-ticks pilot and all is working as expected. Turkey was the most recent to join. More federations participating would be very appreciated.
The team talked to the GÉANT GDPR officer on advice around the use of this data and good reasons as to why this can / should be shared.
AAF looking at a project to collect f-ticks within AAF.
Team updates Security team:
https://wiki.geant.org/display/eduGAIN/eduGAIN+Security+Working+Group+Charter+-+eSWG The eduGAIN Security Working Group has had several planning meetings and the information is available on the wiki. One of the priorities at the moment is defining a base mandate for the team - which is standard practice for incident response teams (RFC2350).
The eduGAIN Security Incident Response Handbook has been shared with the SG for comment but not feedback has been received. Comments are welcomed at: Security Incident Response Handbook Feedback.
Nicole Harris presented initial thoughts on a new eduGAIN model (for slides, see agenda). The biggest change would not require a change of the technical infrastructure, but would rather be how eduGAIN is being used by creating different types of categories and ask both IdPs and SPs to support these categories. Broadly speaking eduGAIN would support three category types: a type around Anonymous/Pseudonymous access, Affiliation Access and R&S Access.
It was recognised this will inquire a massive amount of work. But once a new model is in place it will be much easier for federation operators to provide support for their entities.
Terry Smith (AAF) and Ann West (InCommon) would welcome a new approach that could create consistency and creating some order would be very valuable for the federation operators.
Chris Phillips (CAF) noted that in these initial thoughts the multi-protocol support with OIDC is missing. Nicole pointed to the results of the REFEDS survey and said for many federation operations the demand for supporting OIDC is rapidly declining. Davide Vaghetti noticed that a solution to this could be in the use of proxy technologies.
Tomasz Wolniewicz (PIONEER.Id) asked if there is a threat to the accessibility and usage of the service for the entities and also how these proposed changes would be communicated with the entities. Nicole replied that the message will be clearer than it is today. For SPs there will be the benefit of getting the information from eduGAIN on what they should support instead of figuring that out themselves. Providing detailed information to entities would also make it easier to adopt the changes.
Implementing such changes would require a new membership agreement and updated policies.
Future SG Meetings, Any other business, Summary and Actions
Any Other Business:
CoCov2: best practice guidelines. Still GDPR compliant, only not formally ratified.
Future SG meetings 2021:
23 March 12:00 UTC
15 June 07:00 UTC
14 September 16:30 UTC
14 December 12:00 UTC