Baseline LoA

•      [Peter S] We need to be careful about making sweeping statements without precision. E.g. Password validity rules – we should be specific! Otherwise will result in chaos
•      Can potentially have an opt-out system for when a federation’s own policies are equal to or more restrictive than minimal LoA, e.g. Jisc can add 600 IdPs in bulk
•      Difficult to judge whether existing policies cover LoA baseline

Sirtfi

•      Current state is that we have published v 1.0 and are registering it with IANA
•      Next step is to start putting into practice – there is a training package underway
•      Sirtfi is an assessment at the organisational level, not per session
•      Still do not like implied ITIL acceptance, and TLP – could lead to opposition or reluctance
•      Unlikely that federation policies already cover this – will have to operate opt-in
•      Filtering on Sirtfi could result in many “lost” tickets and confused users – will have to have very clear error message or state reason for non-compliant orgs not featuring in list
•      Why do we need this over CERT teams? Some organisations are not covered, and CERT teams do not span the entire eduGAIN network
•      Who is putting the extensions into metadata? Likely to be filtered out so certainly need Fed Ops to be aware and it should probably be them doing the metadata extensions centrally – we need their buy-in

 
Self-Assessment Tool

•      Concern over how we will register the correct people to perform self-assessments – who will assign these? Not scalable in larger federations
•      Peer review not required for Sirtfi, but probably for others.
•      How do we assign peers? Balance between vested interest and bias