Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: add and link to copy of slides

...

David Groep, DG (Nikhef)

Peter Schober, PSc (ACONETACOnet)

Yannis Mitsos, YM (GRNET)

...

Peter Szegedi PSz

John Dyer JD

 

1. Wecome agenda bashing and Approval of last meeting minutes - Valter

Valter welcomed the participants.

...

Ref.

Status

Who

Action

Comment

20140219-6

CLOSED

TTC

Re-consider a joined task force meeting in 2016

To be revisited if needed later on

20141105-01

OPEN

 

JD

PDOs

Improve TFs’ communication by using (TERENA) social media channels in a coordinated way

 

a) a strategy to reach the unknowns

(Comms staff - JD to share some ideas during the next TTC);

b) a way to make the outcome of the community work easy to read for everybody.

Each PDO is encouraged to share the main results of the TFs via social medias.

 

20150210-1

 

CLOSED

AS

1. AS to convey the comments of the TTC to the ISM SIG Steering Committee

2. TTC to continue this discussion online

The SIG is now an open group as per TTC recommendation.

20150210-2

OPEN

LD

Follow up on the news item about the EGI pilot for the Connect magazine

LD was not at the meeting

20150210-3

CLOSED

TTC

Consider the list of topics for the TAC, consult home organizations, discuss the topics during a separate meeting

TTC meeting (VC) regarding TAC topics: 9 March 14:00-16:00

 

2. Report from the Advisory Committee Meeting held during TNC and on TNC in general  - Valter,Licia and Peter

VN reported about the last TAC meeting. The meeting was not very interactive, despite some efforts to involve the participants. Clearly a different format is needed to make these meetings more effective. VN noted that the format and the existence of the TAC are being considered as part of the revision of the whole former TERENA Technical Programme.

...

  • No objections were raised toward the greenhouse project. Plans are to continue this project in Due to lack of resources, the only option to establish a Greenhouse framework would be via a partnership with an existing company that can provide the necessary infrastructure to maintain sustain open-source productproducts.
  • Afrodite’s  talk about the lightweight adaption of operations / business support systems (OSS/BSS) architecture developed at GRNET provided some interesting inputs for discussion.  There was some interest although no concrete follow up.

...

The general feeling was that side meetings are very valuable to TTC members and to many community members. TNC format could be changed to accommodate this need better.ACTION

Recommendation: The TTC recommends TNC to consider a format where more side meetings are possible. Options could be to close the formal conference one day earlier and use the Thursday for WG meetings only.

Michael Enrico reporter reported about his conversation with Florence Hudson, the new I2 Chief Innovation Officer, and the innovation package she is working on. I2 seems to be more interested in the Internet of Things (IoT)  compared to the GÉANT community. ME noted that the EC has also allocated significant funding to develop IoT; several EU cities have benefited from that and have become ‘internet ready’.

...

YM noted that there is a lot of interest in SDN; it is up to GÉANT to implement the recommendations in this place. 

RE noted that there is a sufficient interest for next generation network discussion that could justify a SIG-NGN.  In light of the new H2020 a SIG could also be useful to spin off discussions on the preparation of open calls proposal (which are expected to become much more cross e-Infrastructures than what happened in the past) or other community projects.

ACTION: RE to start the preparation for the SIG-NGN

3. Updates on GEANT (the association) work

  • TFs/SIGs updates

    • TF-MNM - NH noted that the Task Force is running out of enthusiasm ; and suggested that when this its charter expires we should think of moving tf-mnm to a SIG which would fit more the way the current group operates. The current charter is still the reference under which the group operates, although there is no real concrete output.

      The TF is working closer to eduroam global governance committee and this has provided useful feedback to both groups; it brings the GeGC closer to more concrete aspects of the operations of eduroam as a global service.

      There are less face-to-face meeting lately and more topic-based videoconference, for which there is a lot of enthusiasm.   

    • TF-CSIRT/TI - NH noted that TF-CSIRT is a different type of task force, in fact the name task force is probably not really fitting this group . The trusted introducer service and transit report to this TFas the Trusted Introducer service and TRANSITS training  are part of the TF-CSIRT service umbrella.

      There is a review ongoing of Trusted introducerIntroducer, to evaluate if it is still offering the right services to the community  as well as the way in which the service is procured.

      NH reported on the feeling (only shared by some of the TF-CSIRT participants) that TF-CSIRT can operate independently from the GÉANT. This seems to reflect more the be based on some underestimation on what GÉANT offers and the support provided offer in terms of support and coordination not only in organising the meetings (which are mini-conferences) but also in preparing minutes and handling administrative work.

    • TF-MSP - JD reported on the work of TF-MSP. One of One of the main area of work is the aggregate procurement approach that is gaining significant consensus; there is already collaboration with the service activity in the GÉANT project that procures clouds services. Plans are to expand the framework beyond clouds.

      Another aspect of interest is NRENs Acceptable Use Policy, which is covered for the network services, but it should be expanded to encompass all other services.

      The task-force is healthy and there is still significant attendance and participation during the meetings. There is a lot of interest in the output but not a lot of engagement from the whole group to work towards these outputs. Most of the work seems to fall on a few people. This seems to be a trend in many other activities.

    • TF-WebRTC - PSZ reported that one of the main area of The TF work is the aggregate procurement approach that is gaining significant consensus; there is already collaboration with the service activity in the GÉANT project that procures clouds services. Plans are to expand the framework beyond clouds.

      Another aspect of interest is NRENs Acceptable Use Policy, which is covered for the network services, but it should be expanded to encompass all other services.

      The task-force is healthy and there is still significant attendance and participation during the meetings. There is a lot of interest in the output but not a lot of engagement from the whole group to work towards these outputs. Most of the work seems to fall on a few people. This seems to be a trend in many other activities.

      linked to the counterpart Service Activity in the GÉANT project (Real-Time Applications and Multimedia Management), in fact the TFs can be considered the outreach of the GÉANT-funded WebRTC work.

      There is interest in some NRENs in open source solutions 1  (JITSI). Work to this extend is being carried out as a joint effort  in the task force and the service activity in GÉANT with the aim to implement an open source platform. The idea is to create a trust an API on top of the secure and trusted WebRTC platform operated by GÉANT. Plans are also to use the task force to create and hackathon to reach out more developers.

      PSz said we should focused on the GN3plus EC review recommendation “the network is not so interesting but the applications on top of that are”.

    • TF-STORAGE - PZs reported that the TF-STORAGE - PSz The task force is business as usual. There was a gathering at TNC targeted at both the industry and the GÉANT Community. OwnCloud and Zettabox (they work similarly to dropbox but they are EU-based) attended the meeting and presented as well. Aconet, University of Vienna and SWITCH seem to be interested in Zettabox . The plan is to offer that under the  GÉANT cloud service catalogue: https://catalogue.clouds.GÉANT.net/#/cloudservices

      The TF-Storage is moving more and more towards cost effective storage. Things like the OwnCloud Agreement and FileSender are out of the task force.

    • SIG-ISM - AS reported that the SIG-ISM has accepted to reopen the group to all parties interested in ISM, which in principle makes the group to operate available for participation beyond the NRENs .community. The aim of this SIG is to create a community of security management professionals in the NRENs and to discuss security management and security standards at NRENs level.

      In the last months the SIG has been particularly In the last months the SIG has been particularly active. On the 12th and 13th of May the 1st official workshop was held at the Imperial College in London which was both well attended and received.

      Collaboration with REFEDS has been established and an ongoing one has also started with SCI ( Security for Collaborating Infrastructures)

      The two groups are organizing a joint workshop about security for the 2nd half of October in Barcelona.

    • SIG-NOC - PSz highlighted the SIG-NOC charter the TTC was asked to approve. The aim of SIG-NOC is to create a forum where experts from the community exchange information, knowledge, ideas and best practices about specific technical or other areas of business relevant to the research and education networking community. The group has been shaped following TF-CSIRT model and TRANSIT (train the training), but follows a more light-weighted approach.

      There are a set of KPIs included in the charter to evaluate the performances of the group in one year time.
      RE commented to break out the specific SIG content from the more general part of the SIG template. DG was pleased by the involvement of other networks together with the NRENs.

      The TTC approved unanimously the charter.

  • Services updates
    • Open Cloud mesh (PSz) - Owncloud is active in the Open Cloud mesh, the initiative to interconnect different owncloud instances. OwnCloud has promised to realise the code very soon to the TF.

      Q; Is anyone tracking installation for OwnCloud?

      A: OwnCloud has an agreement with GÉANT but they have bigger customers that are handled independently. We do track the installation that are under the agreement. There is also a closed OwnCloud developer group, for those that are doing development on top of OwnCloud.

  • TCS - TCSis since the July 1st in production.

AS noted that DigiCert collaboration is working smoothly. There a was a meeting during TNC to present the new system, which went well. Although the current DigiCert managed portals uses the same attributes that were released before to confusa, some people feel uncomfortable releasing attributes to DigiCert now.

AS, with the support of the PMT, is working to make it clear to federations and IdPs that the legal framework in place is legally sound for them to release attributes. The service work very well, the support is very good.

  • Trusted Introducer (NH)

 

4. Global initiatives and Projects - For INFORMATION

...

5. Events

    • EWTI, and others relevant events coming up

 

6. TTC Members updates (check whether to move this)

    • Round table from the TTC
    • Presentation from Peter Schober 

 

...

    • Alf Moens (SURFnet) gave a presentation of the SIG during the last REFEDS meeting with the aim to raise awareness on the group, which could provide support for federations and any identified security risks. 

      The SIG as part of their outreach has also established a communication with the Security for Collaboration Infrastructure group (SCI, https://www.eugridpma.org/sci/) a collaboration of security staff from several large-scale distributed computing infrastructures, including EGI, OSG, PRACE, wLCG, and XSEDE. The two groups are organizing a joint workshop to be held in the 2nd half of October in Barcelona.

    • SIG-NOC - PZs presented the aim of SIG-NOC, that is to create a forum where experts from the community exchange information, knowledge, ideas and best practices about specific technical or other areas of business relevant to the research and education networking community. The group has been shaped following TF-CSIRT model and TRANSIT (train the training), but follows a more light-weighted approach.

      There are a set of KPIs included in the charter to evaluate the performances of the group in one year time. RE commented to break out the specific SIG content from the more general part of the SIG template. Staff commented that the specific ToR were indeed an instantiation of a generic template that would be reused in all similar cases. DG was pleased by the involvement of other networks together with the NRENs.

      ACTION: PSz to inform the team the TTC approved the SIG-NOC unanimously

  • Services updates

    • Open Cloud mesh (PSz) - Owncloud is active in the Open Cloud mesh, the initiative to interconnect different owncloud instances. OwnCloud has promised to release the code very soon to the TF.

      In response to a question on whether the installion code cof OwnCloud is tracked, PSz answered that OwnCloud has an agreement with GÉANT; however they also have bigger customers that are handled independently. We do track the installation that are under the agreement. There is also a closed OwnCloud developer group, for those that are doing development on top of OwnCloud.

    • TCS - TCSis since the July 1st in production.
      AS noted that DigiCert collaboration is working smoothly. There a was a meeting during TNC to present the new system, which went well. Although the current DigiCert managed portal uses the same attributes that were released before to confusa, some people feel uncomfortable releasing attributes to DigiCert now.
      AS, with the support of the PMT, is working to make it clear to federations and IdPs that the legal framework in place is legally sound for them to release attributes. The service works very well, the support is very good.
    • Trusted Introducer (NH) - The trusted Introducer service is working smoothly. There is a review of the whole service on going which follows a two-phases approach: phase1: May-December and  phase2: Jan-May 2016. More information will be provided at the end of the review process.

4. Global initiatives and Projects - For INFORMATION

AARC – LF gave an update on the AARC project, which started on May 1st and will run for two years. The first couple of months have been mostly spent on preparing the detailed work plans and on forming the teams. The kick off meeting took place at the beginning of June; it was clearly a very high level meeting, where the various WP leaders presented and validated their initial ideas.

There area two deliverables due at the end of July: one on technical requirements that AARC should focus on to design the integrated architecture and the other on training.

SGA1 (GN4) –GN4 is progressing well; lots of preparation is being spent on the phase two which is expected to start in may 2016.  PDOs are involved in the following activities:

  • Coordination of the service activity Real Time Application and Multimedia management – PSz
  • There is a new task (Harmonisation), led by NH, which is part of the service activity Trust and Identity Service Development (coordinated by Ann Harding). This task is about looking at some of the requirements and their implications on the IdPs. This offers also an opportunity to link the eduGAIN policy work, the enabling users work and other relevant GÉANT work to REFEDS.
  • eduGAIN service coordination led by Brook.

REFEDS – REFEDS celebrated this year its 10th anniversary. The group is very healthy, there is a lot of discussion on the list and a lot of work to be supported. The work plan is available on the REFEDS wiki as the rest of the material. NH is working with Heather Flanagan to kick of some additional work in the area of virtual organisations and groups. For more information please refer to:

https://wiki.refeds.org/display/WOR/2015+REFEDS+Workplan

5. Events

EWTI - In line of the open actions to cluster events, GÉANT is supporting the preparation of the next EWTI (European Workshop Trust and Identity) which will take place in December. There will be co-located events, such as a REFEDS BoF to prepare for the next workplan and a eduGAIN town hall meeting.

The EWTI event is totally organised by Identinetics GmbH, led by Rainer Horbe. GÉANT main contribution is in the promotion of the event to bring our community there; in return GÉANT community should benefit of some contacts with the government that Rainer has gained during his work as consultant. A one year MoU has been signed between the Amsterdam Office and Identinetics GmbH, with the aim of supporting the EWTI and event and to co-locate relevant events . An evaluation will follow to decide on how to continue in the future.

Technology Exchange I2 – There will be a main REFEDS event on Sunday before the Technology Exchange meeting starts. Furthermore LF has submitted a request for a WG session to discuss about Sirtfi and assurance. AS has also submit a request for a session to discuss about community requirements as input for the current AARC project as well as consultation for the preparation of the next one.

6. TTC Members updates 

A round table of the TTC members followed.

Vicente Goyanes – It would be helpful if GÉANT could gather and share more information on NRENs international activities and if this information could be shared among universities. As we move towards services a closer interaction among campuses and with campuses and NRENs is needed.

Having the knowledge that the same service is available other countries can trigger discussion on how to access them and how to harmonise them.

JD showed the service matrix (https://compendium.terena.org/reports/nrens_services) , developed as part of the Compendium. This was extremely well received by the TTC. Thanks for Christian Gijtenbeek (developed it) and Jessica Willis for this result.

Recommendation: The TTC recommends promoting service matrix widely and to make it easily accessible via the GÉANT website.

Recommendation: The TTC recommends GÉANT management to expose any other relevant results coming from GÉANT activities at GA level to ensure they are known (and hopefully supported) by the decision makers.

Davig Groep – DG noted the high expectation in AARC on what it can achieve. We should manage this expectation so that communities will not be disappointed.  DG noted that AARC should look at a mechanism to address some general questions coming from the user communities. As an example he referred to a question asked on the RFEDS lists from CERN, which triggered long and convoluted answers, whereas a simple question could have been provided.

Valter  Nordth– Supporting GÉANT in updating the terms of reference for the technical programme. Plans are to present a draft for the next GA in September. Some TTC members’ terms have expired; Valter proposed to prolong the expired mandate until the end of 2015.  No objections were raised.

Peter SchoberIDM Issues in the R&E community

As part of the more in depth area presentation each TTC member offers, PSc gave an overview of the authentication and authorisation practices in the R&E community.

PSc, as part of the more in depth area presentation each TTC member offers, gave an overview  of  the authentication and authorisation practices in the R&E community.

There is still a lot of phising  despite users being asked to use more and more  complex passwords. Mitigation for this are strong authentication, 2-factor authentication, multi-factor authentication, which in practice means a combination of independent authentication practices.

Ubikey and Google have championed 2-factor authentication, that basically uses established technologies and protocols that are integrated in the browser.

Most of the requirements for 2-factor authentication come from the users in the attempt to protect their passwords rather from the resources.

Despite what many believe, the second factor authentication is not really a way to increase the assurance that the credentials are used by the good people. To elevate the insurance other means are needed, i.e. verified process etc. which normally bring up the authentication costs.

A problem institutions still face is the request for password reset, which is still a time consuming operation. To date there is no fully automated way to do that as the new passwords have to propagated into the different databases.

PSc touched upon authorisation, which presupposes the user has been previously authenticated.

Identity management in the academic space is very complex as there are lots of different roles (and a combination of them at different levels) to handle. For some services authentication and authorisation overlap, but in general this is not a good practice. Commercial companies are expanding the authentication process with data mining, taking into account an ever growing list of contextual and environmental factors (OS, browser fingerprinting, IP addresses, geolocation, etc.)

Academic licenses can be complex so it is very difficult to translate them into operational procedures. An example of this is Clarin where the authorisation parameter chosen is to allow access to resources to "academics". They basically mapped a grant of rights limited to specific uses ("for educational, teaching or research purposes") into an authorisation process, not realising that there is no generally agreed upon concept (nor machine-consumable information in institutional IDM systems) for "academic". This approach is causing problems, as it's based on a fundamental misconception: No IDM process/authorisation attribute can ever give the license holder the assurance that the subject accessing the resource will be using it in accordance with the license terms.

PSc also touched upon provisioning, the process to make sure that data to be used in distributed environments are available in different places. One approach is to push the data to all applications for when they are needed ("just in case"); this model has issues with federated approaches as the number of applications might be huge, rapidly changing or unkown in advance.. The other approach is to provision the data when needed ("just in time"), which has issues with authorisation (e.g. authorising someone can only happen after they has been provisioned a local account for a person), resulting in awkward workflows. E.g. having to ask (and wait for) a group of people to log in to a system first (in order to get their accounts provisioned "just in time"), at which point those subjects do not have access to the resource, and then authorise them later (and ask the subjets to return after they have been properly authorised).

De-provisioning is normally not properly done, though there's some support in the protocols used; the general approach followed is to reset the password at the Identity Provider (and leave the data at SPs to rot).

The last part of the talk covered attributes and its usage. Typical problems in this area:

    • Agreeing on the syntax and semantics
    • The complexity of storing and processing Humans names from different cultures
    • Identifiers and their many properties
    • Who gets the attributes the IdP releases
    • Who decides based on what.

Currently the R&E community is using two main approaches or even a mix of them: a risk-based approach (REFEDS R&S) vs a full compliance one (GÉANT CoCo).

Lastly Peter touched upon eduGAIN and related services offered by GÉANT. Thanks to the work done by the community within the GÉANT project and within REFEDS, it is now much easier for an NREN to create a federation: there's a federation policy template, best practice documents, there is FaaS (video showcase) that offers a SAML entity registry, metadata aggregation, plus secure signing with a HSM (which makes support for local installation impossible), information on entity categories, discovery documentation and so on. 

PSc’ s presentation covered many interesting aspects; some TTC members asked which areas NRENs are really focusing on. 

ACTION: Peter to review his slides and distill what is being worked on and what is not being worked on.

 7. Next Meetings

There will be two upcoming meetings:

-       September 30th - a videoconference meeting to report on the revised technical programme

-       November 24th – Face-to-face meeting

ACTION: DG to report on operational aspect of service provisioning across e-Infrastructures during the next f-2-f TTC.

8. Summary of the ACTIONS and RECCOMENDATIONS

Ref.

Status

Who

Action

Comment

20140219

20150708-

6

01

Closed

OPEN

TTC

Re-consider a joined task force meeting in 2016

To be revisited if needed later on

20141105-01

OPEN

 

JD

PDOs

Improve TFs’ communication by using (TERENA) social media channels in a coordinated way

 

a) a strategy to reach the unknowns

(Comms staff - JD to share some ideas during the next TTC);

b) a way to make the outcome of the community work easy to read for everybody.

Each PDO is encouraged to share the main results of the TFs via social medias.

 

20150210-1

 

CLOSED

AS

1. AS to convey the comments of the TTC to the ISM SIG Steering Committee

2. TTC to continue this discussion online

The SIG is now an open group as per TTC recommendation.

RE

To start the preparation for the SIG-NGN

 

20150708-02

OPEN

PZs

To inform the team the TTC approved the SIG-NOC unanimously

 

20150708-03

OPEN

PSc

To review his slides and distil what is being worked on and what is not being worked on by the NRENs

 

 

20150708-04

OPEN

DG

To report on operational aspect of service provisioning across e-Infrastructures

 

20150210-2

OPEN

LD

Follow up on the news item about the EGI pilot for the Connect magazine

LD was not at the meeting

20150210-3

CLOSED

TTC

Consider the list of topics for the TAC, consult home organizations, discuss the topics during a separate meeting

TTC meeting (VC) regarding TAC topics: 9 March 14:00-16:00

...

 

The following reccomendations are noted:

  1. Gyöngyi Horváth and the TNC team to consider a format for TNC where more side meetings are possible.

  2. JD and GÉANT Management to promote the service matrix widely and to make it easily accessible via the GÉANT website.    

  3. GÉANT management to expose any other relevant results coming from GÉANT activities at GA level to ensure they are known (and hopefully supported) by the decision makers.

     

1 RENATER, NIIF, NORDUNET/SUNET, PSNC