Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Peter, ACOnet (mandatory internal meeting)
  2. Alejandro Lara, REUNA (Internal meeting)
  3. Nicole Harris, GÉANT
  4. Scott Koranda
  5. Raja Visvanathan, INFLIBNET
  6. Nicholas Mbonimpa, RIF
  7. Simon Green, SGAF

Draft Notes

Welcome, Introductions & Agenda Agreement

...

The three (3) outstanding actions will remain outstanding. They have due dates in 2019 and are being actively worked on.

Membership Updates and Joining

The eduGAIN Compliance Issues are being worked through and we are making progress on support for the SAML2 profile being mandated.

Nick stated that InCommon have a new engineer ... not are and a major impediment to their support is not being able to modify members metadata without positive action by participants . Working and there is work ongoing to address this.

Chris reported that CAF - is looking at the their lack of their an MRPS.

Guy's question about questioned why the existing validator exists and why can't the new validator be visible to send the correct message to federation. about using About the "why" and Tomasz answer - Tomasz answered that there are legacy rules for existing participants but this will be rolled forward once everyone is ilne. This approach was backed by Nick and Rhys. Guy clarified that there are warnings that are not issues in the new validator and the OT will investigate and remove inconsistencies between the two.

SIFULAN/Farhan - asked about what to do about their key?Chris - clarified that it they should do regarding the SIFULAN signing key. While no immediate action is requried advice was given by the community with Chris clarifying that any change is only for upstream metadata.

Guy asked about ECC certificates. Stefan has tried that. Maja to clarify if the MDS+Validator can do this. Rhys says that ..... questioned by ECC rather than 4k keys? Guy has a scenario with his HSMs that dondoesn't support >2k RSA keys and but does support ECC - smaller new federations might want to use USB based HSMs (Nitrokey, Cryptosick, et al) to gain experience before investing in more costly ones, and many of these still only support 2K keys but do aslo support ECC, so a 3K restriction rules out these HSMs. So ECC is a path forward. Rhys said that this should be started and there can be a phased approach to move toward endpoint testing/support for ECC certificates.[ACTION] Brook


...

eduGAIN "the brand" (based on Haka email to eduGAIN-SG Mailing List)

Based on the email by the Haka federation to the eduGAIN-SG Mailing List on 5th October there was a discussion about eduGAIN "the brand".

 * Nick stated that HAKA requires signed authentication requests from SPs and this could cause some interoperability problems and isn't included in the next version of SAML2Int.

Timo clarified that this message was a request from the HAKA Steering Group and wasn't universally supported by the HAKA team. They are wanting services to adopt eduGAIN.

Nick stated that the REFEDS Service Catalogue paper released by Heather could be used to highlight services.

...

Miro stated "Catalogue for End Users". Chris suggested "Service Directory". Nick Roy said a quick win could be the adding of search over MDUI Display Name within MET. Tomasz said that the eduGAIN entities database has this feature but lacks URLs. Nick also suggested that having a button/form to request services being exported to eduGAIN could also be made available. Chris Phillips stated that some members of CAF have had the issue that there are services that aren't accessible (because they aren't in eduGAIN). Nick mentioned the ability to decorate entries within MET. Once we have a repository of this data we could drive discovery services via those feeds.

The REFEDS 2019 work plan is currently being prepared. Common requests for "what's in eduGAIN" from federation will be taken on board in the next iteration of the GÉANT project (GN4-3 to start in 2019).

SIRTFI

Scott Koranda is unable to join todays meeting. There are regular SIRTFI conference calls co-ordinated by Tom Barton. At the last call (last Thursday) there was a request to send this information to the eduGAIN SG for their comment on whether the output of the SIRTFI+ registry is likely to be injested into eduGAIN (or how would federations make this available). The TechEx SIRTFI presentation slides are also available to inform the SG of the progress of SIRTFI and SIRTFI+ registry work.

Rhys stated that SIRTFI+ creates an attack point that undermines the integrity of the federation trust model.   .... The act of "merging" the metadata isn't possible in any software. The order of import is importand  - but it is unknown in various federation tools but the handling of this isn't consistent between tools.

Nick Roy - stated that if the SIRTFI decoration is imported into eduGAIN then the entity isn't decorated in their home federation.

Chris - said there are a lot of unknowns in the area of this registry. "Sympathetic" tagging of R&S in CAF if they see it tagged in another federation.

...

Rhys is going to deep dive into the SIRTFI mailing lists to understand their goals/posture. Davide stated that this interferring with the integrity of a federation is a real problem.

Nick said for the both of the SIRTFI simulations there was a need to get in touch with the federation security contact. Adding a security contact to technical.edugain.org is important.

Questions were asked on whether this should Should this be a URL or an email address (mailto:) or (tel:). Pål asked whether we do SIRTFI for the federation?

It seems to be

RENISAC (spelling) is the group that co-ordinates R&E security coordination for the InCommon community with almost universal coverage.

Goals for security contact information is to:

  1. collect the security contact information (up to 3 values - URL, phone, email)
  2. look at the overlap between Trusted-Introducer ...listed CSIRTs and eduGAIN member federations.

Autopopulation of the security contact with contact email address ? No.

Miro stated that if there are 2 options ....

...

  •  ACTION-TBA: TBA

TOPIC...

...

isn't acceptable as the security contact should at least understand TLP for sharing information.

Future meetings

There is no further meetings in 2018.