eduGAIN Steering Group Meeting
Tuesday 13th November 2018, 13:30 - 15:00 CET (in your timezone)
Please Note that the above time is CONFIRMED.
Arrival & "Can you hear me now?" (see Connection Details)
Welcome, Introductions & Agenda Agreement
|Membership Updates and Joining|
eduGAIN "the brand" (based on Haka email to eduGAIN-SG Mailing List)
Future SG Meetings
Any other business, Summary and Actions
Meeting Close (or we are running over time).
- SIP: email@example.com
- Slack: https://eduGAIN.org/slack
Federations in Attendance (29)
- Grid Identity Pool
- Brook Schofield, GÉANT
- Pascal Panneels, Belnet
- Davide Vaghetti, GARR/IDEM
- Muhammad Farhan Sjaugi, SIFULAN
- Sten Aus, TAAT
- Esmeralda Pires, RCTSaai
- Péter Molnár, eduID.hu
- Donald Coetzee, SAFIRE
- Guy Halse, SAFIRE
- Nick Roy, InCommon
- Wolfgang Pempe, DFN-AAI
- Miroslav Milinovic, AAI@EduHr
- Jiří Bořík, eduID.cz
- Rhys Smith, UK federation
- Maja Gorecka-Wolniewicz, PIONIER.Id
- Lukas Hämmerle, SWITCHaai
- Alex Mwotil, RIF
- Zenon Mousmoulas, GRNET
- Halil Adem, GRNET
- Anass Chabli, FER
- Anastas Mishev, AAIEduMk
- Andria Dionysiou, CIF
- Aouaouche El-Maouhab, ARNaai
- Chris Phillips, CAF
- Julie Menzies, CAF
- Davide Vaghetti, GARR
- Marco Fargetta, Grid Identity Pool
- Pål Axelsson, SWAMID
- Saeed Khademi, IRFed
- Timo Mustonen, HAKA
- Toby Chan, HKAF
- Tomasz Wolniewicz, PIONIER.Id
- Valentin Pocotilenco, LEAF
- Zivan Yoash, IIF
- *Marina Adomeit, SA2 Activity Leader
- Peter, ACOnet (mandatory internal meeting)
- Alejandro Lara, REUNA (Internal meeting)
- Nicole Harris, GÉANT
- Scott Koranda
- Raja Visvanathan, INFLIBNET
- Nicholas Mbonimpa, RIF
- Simon Green, SGAF
Welcome, Introductions & Agenda Agreement
The Chair welcomed everyone to the 7th meeting of 2018.
For details on new members and candidates see https://technical.edugain.org/status and work on progressing new members is underway.
Outstanding Issues with Federations
The three (3) outstanding actions will remain outstanding.
Nick stated that InCommon have a new engineer... not are able to modify members metadata without positive action by participants. Working to address this.
CAF - is looking at the lack of their MRPS.
Guy's question about why the existing validator exists and why can't the new validator be visible to send the correct message to federation. about using "why" and Tomasz answer - backed by Nick and Rhys. Guy clarified that there are warnings that are not issues in the new validator.
SIFULAN/Farhan - what to do about their key?
Chris - clarified that it is only for upstream metadata.
Guy asked about ECC certificates. Stefan has tried that. Maja to clarify if the MDS+Validator can do this. Rhys says that ..... Guy has a scenario with HSMs that don't support >2k RSA keys and ECC - smaller new federations might want to use USB based HSMs (Nitrokey, Cryptosick, et al) to gain experience before investing in more costly ones, and many of these still only support 2K keys but do aslo support ECC, so a 3K restriction rules out HSMs. So ECC is a path forward. Rhys said that this should be started and there can be a phased approach to move toward endpoint testing/support for ECC certificates.
[ACTION] Brook to confirm with Maja the readiness of the MDS+Validator for ECC support.
* Nick stated that HAKA requires signed authentication requests from SPs and this could cause some interoperability problems and isn't included in the next version of SAML2Int.
Timo clarified that this message was a request from the HAKA Steering Group and wasn't universally supported by the HAKA team. They are wanting services to adopt eduGAIN.
Nick stated that the REFEDS Service Catalogue paper released by Heather could be used to highlight services.
Chris Phililps stated that use of eduGAIN witihn CAF is significant but they want it to be increased and improve the knowledge of reachability of services for key researchers (not just overall volume of users).
Miro stated "Catalogue for End Users". Chris suggested "Service Directory". Nick Roy said a quick win could be the adding of search over MDUI Display Name within MET. Tomasz said that the eduGAIN entities database has this feature but lacks URLs. Nick also suggested that having a button/form to request services being exported to eduGAIN could also be made available. Chris Phillips stated that some members of CAF have had the issue that there are services that aren't accessible (because they aren't in eduGAIN). Nick mentioned the ability to decorate entries within MET. Once we have a repository of this data we could drive discovery services via those feeds.
REFEDS 2019 work plan is being prepared.
Common requests for "what's in eduGAIN" from federation.
Scott Koranda is unable to join todays meeting. There are regular SIRTFI conference calls co-ordinated by Tom Barton. At the last call (last Thursday) there was a request to send this information to the eduGAIN SG for their comment on whether the output of the SIRTFI+ registry is likely to be injested into eduGAIN (or how would federations make this available). The TechEx SIRTFI presentation slides are also available to inform the SG of the progress of SIRTFI and SIRTFI+ registry work.
Rhys stated that SIRTFI+ creates an attack point that undermines the integrity of the federation trust model. .... "merging" the metadata isn't possible in any software. The order of import is importand - but it is unknown in various federation tools.
Nick Roy - if the SIRTFI decoration is imported into eduGAIN then the entity isn't decorated in their home federation.
Chris - there are a lot of unknowns in the area of this registry. "Sympathetic" tagging of R&S in CAF if they see it tagged in another federation.
Chris asked about SIRTFI for OIDC? No, or at least not yet. Davide is aware and it will likely be future work.
Rhys is going to deep dive into the SIRTFI mailing lists.
Davide stated that this is a real problem.
Nick said for the both of the SIRTFI simulations there was a need to get in touch with the federation security contact. Adding a security contact to technical.edugain.org
Should this be a URL or an email address (mailto:) or (tel:)
Pål asked whether we do SIRTFI for the federation?
It seems to be
RENISAC (spelling) is the group that co-ordinates R&E security coordination for the InCommon community with almost.
- collect the security contact information (up to 3 values - URL, phone, email)
- look at the overlap between Trusted-Introducer ...
Autopopulation of the security contact with contact email address? No.
Miro stated that if there are 2 options ....
- ACTION-TBA: TBA
There is no further meetings in 2018.