eduGAIN Steering Group Meeting
Tuesday 30th January 2017, 14:00 - 15:30 CET (in your timezone)
Please Note that the above time is CONFIRMED.
|Arrival & "Can you hear me now?" (see Connection Details)|
Welcome, Introductions & Agenda Agreement
Hanging Issues for Members and Participants
|14:30 CET||ROBOT Attack (PDF) Shannon Roddy|
|14:45 CET||Revision of the eduGAIN Policy Framework|
Any other Business
Future SG Meetings
Summary, Actions and Close (or we're running over time).
- SIP: firstname.lastname@example.org
Federations in Attendance (22)
- Belnet Federation
- Brook Schofield, GÉANT
- Casper Dreef, GÉANT
- Nicole Harris, GÉANT
- Alejando Lara, REUNA/COFRe
- Alex Mwotil, RENU/RIF
- Anass Chabli, RENATER/FÉR
- Ann West, InCommon
- Nick Roy, InCommon
- Shannon Roddy, InCommon
- Wolfgang Pempe, DFN
- José-Manuel Macías, RedIRIS/SIR
- Sten Aus, EENet / TAAT (Estonia)
- Guy Halse (SAFIRE/TENET)
- Chris Phillips, CANARIE/CAF
- Esmarelda Pires, RCTSaai
- Jiri Borik, eduID.cz
- Lukas Hämmerle, SWITCHaai
- Marina Adomeit, GN4-2
- Miroslav Milinovic, AAI@EduHR
- Pål Axelsson, SWAMID
- Stefan Winter, RESTENA/eduID.lu
- Saeed Khademi, IRANet
- Simon Green, SGAF
- Terry Smith, AAF
- Valentino Pocotilenco, LEAF
- Zivan Yoash, IUCC/IIF
- Pascal Panneels, Belnet Federation
- Barbara Monticini, IDEM
- Andi Malaj, Albania/RASH
- Arnout Terpstra, SURFnet
- Rhys Smith, UK Federation
Welcome, Introductions & Agenda Agreement
The Chair welcomed everyone to the 1st meeting of 2018. The agenda was adjusted to put the ROBOT attack presentation ahead of discussion on the Policy Framework.
One (1) open action was addressed.
ACTION 20170831-01: Chair to ask all “voting-only” members for the timeline for their participation and provide input to the next meeting.
The voting only candidates were contacted with mixed responses on their progression toward eduGAIN participation. Turkey/YETKIM (no response), New Zealand/Tuakiri (don't see the benifits of fully participating at this time), Italy/GridIdP (desire to participate with a service that wants to extend to eduGAIN so there should be movement in the coming months).This action will remain open and be tabled for the next meeting with a broader scope based on "low participation" that should include meeting attendance, voting, assessment of peer federations and other suitable metrics.
Current status - New members and candidates: See https://technical.edugain.org/status and work on progressing new members is underway.
The hanging issues from members and participants was continued from the above open action.There are a range of issues on raising the bar for identity federations, some of which will be discussed later, and that a fuller discussion is needed.
The chair raised the phenomenon of 'twin Federations' with expressed of interest from 3 territories (China, Oman and Russia) that already have a federation (or application underway). It was reiterated that membership of eduGAIN is not for national identity federations but for those primarily engaged in Research and Education and that the existance of schools federation, multiple research networks, funding agencies and the like within our community could result in multiple federations from a single territory. There was no concern nor further discussion.
The use of the eduGAIN-Discuss mailing list for membership matters had none of the downsides raised at previous meetings and was regarded as a success and should continue.
Shannon Roddy from Internet2/InCommon presented on their work on the applicability of the ROBOT Attack against the backchannel connection to Shibboleth instances. His presentation is available as a PDF.
From the presentation and discussion there were some clear themes, such as only paying attention to "brand name" vulnerabilities, the need for security contacts and incident response lines of communication setup prior to a problem, remediation of this (and other issues) and the role of eduGAIN support.
The #slack channels available for eduGAIN can be used for this and while more than 130 accounts exist on this platform it isn't universal. Federation email contacts should be approached to enquire about specific Security contacts.
Nick Roy raised the issue of this remidation only focusing on InCommon and while the total affected IdP population was small the remaining eduGAIN (and wider federation community) wasn't approached and federations should take specific measures to look at their own membership.
Lukas remarked that eduGAIN Support started contacting federations regarding other operational issues.This practice was welcomed and federation operators would me contacted or included in communication directed at specific endpoints.
Chris Phillips stated that responsible disclosure is Good™ and wheteher there were specific Guidelines from the Steering Group on this? A #slack channel for discussion on this topic was created initially with Shannon, Nick, Chris and Pål to report back at a future meeting.
Revision of the eduGAIN Policy Framework
Nicole stated that the SAML2 WebSSO profile work was still being drafted based on community input. The two remaining issues are:
- The ability of ADFS to adhere to the Metadata Interoperability Profile.
- The requirement for RegistrationInstant. The decision was to drop it as there were zero concrete reasons for its use.
Further investigation of point #1 is still required at this point in time. An update will be available at the next SG meeting.
Any Other Business
There was a request for OIDC Federation work to be presented at a future SG meeting, espcially since the last revision of the Policy Framework was to make it protocol agnostic. The Chair reminded everyone that supporting Moonshot Technology was the original driver for this but work on federated OIDC has overtaken that work. Chris noted that as a community we risk falling behind the curve if we aren't aware of the issues and progress in this space. Suggestions for presenters was made and it will be tabled in the next SG meeting to support a discussion of a roadmap for OIDC inclusion.
No issues with the future meeting schedule was raised.