Versions Compared

Old Version 20

changes.mady.by.user Davide Vaghetti

Saved on

compared with

New Version Current

changes.mady.by.user DAVE MIFSUD

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Table of Contents
outlinetrue
stylenone

eduGAIN Steering Group Meeting

Tuesday 5th March 2019, 17:30 - 18:30 CET (in your timezone)

Please Note that the above time is CONFIRMED.

16:15 UTC
17:15 CET

Arrival & "Can you hear me now?" (see Connection Details)

16:30 UTC
17:30 CET

Welcome, Introductions & Agenda Agreement

16:40 UTC
17:40 CET

Membership Updates and Joining
    • 60 participant members / 4 members / 11 candidates
    • New Members (1)
      • Turkey (participating)
    • Candidates Under Assessment (2)
      • China/CARSI (to be scheduled)
      • Romania/RoEduNetID (to be scheduled)
    • New Candidates (2)
      • Sri Lanka/LIAF
      • Malta/RicerkaNet Identity Federation
    • https://technical.edugain.org/status.php
16:50 UTC
17:50 UTC

eduGAIN MDS Certificate Rollover

    • Update from the OT on Certificate Expiry (1 July 2019)
    • Suggested changes (short term)
    • Key Signing Ceremony (long term)
17:00 UTC
18:00 CET

eduGAIN "raising the bar"

17:10 UTC
18:10 CET

Future SG Meetings

  • Conflict/Changes to 2019 meeting dates/times?
    • 4 meetings? 11 meetings? Somewhere in between?
  • Next meeting either:
    • @ Tuesday 2nd April 12:00 UTC
    • @ Tuesday 25th June 13:00 UTC
    • @ Some other date
17:20 UTC
18:20 CET

Expiry of the eduGAIN SG Chair

    • Current SG Chair term to expire on 28th June 2019.
    • Call for nominations in May. Vote?
17:25 UTC
18:25 CET

Any other business, Summary and Actions.

17:30 UTC
18:30 CET

Meeting Close.

Connection Details

Attendance

Federations in Attendance (11)

  1. SIFULAN
  2. DFN-AAI
  3. IDEM
  4. eduID.hu
  5. SWAMID
  6. PIONIER.Id
  7. UK federation
  8. CAF
  9. SAFIRE
  10. GRNET
  11. eduID.cz

Attendees (14)

  1. Brook Schofield, GÉANT
  2. Muhammad Farhan Sjaugi, SIFULAN (Malaysia)
  3. Casper Dreef, GÉANT
  4. Davide Vaghetti, IDEM/GARR
  5. Péter Molnar, eduID.hu
  6. Paul Scott, SWAMID
  7. Wolfgang Pempe, DFN-AAI
  8. Tomasz Wolniewicz, PIONIER.Id
  9. Rhys Smith, UK federation
  10. Chris Phillips, CAF
  11. Nicole Harris, GÉANT
  12. Jiri Borik, eduID.cz
  13. Zenon Mousmoulas, GRNET
  14. Guy Halse, SAFIRE

Apologies (7)

  1. Sten Aus, EENet / TAAT (Estonia) - due to timezone.
  2. Donald Coetzee, SAFIRE (South Africa) - traveling.
  3. Saeed Khademi, IRFed (Iran).
  4. Alejandro Lara, COFRe (Chile).
  5. Arnout Terpstra, SURFnet (NL).
  6. Miroslav Milinovic, AAI@EduHr (Croatia).
  7. Terry Smith, AAF (Australia) - timezone.

Notes

Welcome, Introductions & Agenda Agreement

The Chair welcomed everyone to the 1st meeting of 2019.

See the Open Actions & Previous Meeting notes. The major open action will be covered within the meeting.

Membership Updates and Joining

eduGAIN has reached the milestone of 60 participant federations with Turkey/YETKIM. Their membership and inclusion into eduGAIN was historic and before a time that the SG took a vote. Since that time the constitution has changed, the policy + MRPS templates were created and the new SAML profile decided (and adopted for new participants). Currently Turkey/YETKIM is without a policy + MRPS and complies with the new SAML profile.

  •  ACTION-20190305-01: Brook Schofield to ensure that Turkey/YETKIM complies with the Policy/MRPS requirements in a timely manner.

There are 10 candidate federations and two (2) are becoming ready for assessment:

  • Romania/RoEduNetID
  • China/CARSI

Also two (2) new candidates:

  • Sri Lanka / LIAF (URL is currently not responding https://liaf.ac.lk/)
  • Malta / RicerkaNet Identity Federation

For details on new members and candidates see https://technical.edugain.org/status and work on progressing new members is underway.

eduGAIN MDS Certificate Rollover

The certificate that transports the signing key for MDS will expire on 1 July 2019. It is known that some metadata management tools will have problems with this certifcate expiry even though they should only be using the key. This will necessitate some changes to MDS operations for the short and long term.

Tomasz Wolniewicz from the eduGAIN Operational Team explained that there will be a period where the certificate is regenerated with the same key material. Some products will need to update to this new certificate. Those that rely on the key will be unaffected. An exact list of software is unknown at this point in time.

In the longer term there will be a plan to generate new key/certificate in a signing ceremony and this process will be subject to community oversight. There is a working group consisting of Leif Johannsson, David Groep, Brook, Nicole and the eduGAIN OT to work through these issues to make the process transparent.

Rhys (followed up by Guy) asked about HSM usage - and the CrypTech/Diamond Key HSM is being investigated as well as options to "rent" an HSM space from GÉANT partner NRENs or cloud operators. Tomasz explained that signing speed requirements of MDS is very modest and USB Token HSM devices could also be an option. Davide commented that the Diamond Key Platform HSM doesn't have Common Criteria nor FIPS 140-2 certification and that even using certified hardware requires the use of a toolchain that is not audited. The chair explained that we'll be looking at what is needed to maintain trust in the entire signing process from key material generation, toolchain process and storage and not reduce the communities trust in our process.

Chris asked whether eIDAS required certain certifications. Davide explained that ISO27001 and FIPS 140-2 for identity providers but this isn't a goal for eduGAIN to have such a role.

  •  ACTION-20190305-02: Tomasz Wolniewicz to convey the certificate rollover to the SG mailing list.

eduGAIN "raising the bar"

The eduGAIN Compliance Issues wiki page has been to be updated and this is an ongoing process. There are 5 federations that still have work to do in this space (namely Denmark/WAYF, Finland/Haka, Portugal/RCTSaai, Chile/COFRe and Argentina/MATE). Unfortunately MATE have become unresponsive but work is active with the remaining parties which only have single issues to resolve. When should we start the clock on mandating compliance with the SAML profile? The profile is imposed on new participants but these 5 federations are still needing to align with this.

Nicole started discussion with the community by saying that a deadline was required as we've negotiated this process over a long period of time. Guy asked what the consequenses of a deadline that doesn't have concrete action as a result. Tomasz reminded all that ALL federations would need to be checked to see if their compliance had regressed.

Chris recounted the InCommon baseline expectations timeline which had an escalation to the signing authority, after informing the technical people that this would be done to focus the attention of the federation to this deadline.

It was agreed that this process will be followed. Technical staff will be informed of the deadline and telling them that this will be escalated to their management.


The Metadata Registration Practice Statement also has a previously agreed deadline of 1 April. Though no formal action was decided as a result of this.

Chris agreed that the same timeline for MRPS should be followed for the SAML profile without conflating these issues being the same thing.


Davide further suggested an escalation from 1 April until the next eduGAIN steering group meeting (86 days between 1 April and decided date of 25 June).

If all federations are compliant with the SAML profile 45 days after the 1 April window (15 May) then the SAML profile will be activated. An escalate to management will occur after this time for those federations not in compliance.

An update to the assessment of the MRPS should be completes as soon as possible and conveyed to all federations for a report ahead of the 1 April deadline. Those federations not in compliance aren't in the call at the moment and thus the process should have a soft penalty.


Future meetings

 A meeting schedule was suggested on the mailing list and commentary seemed to ebb and flow between 4 and 11 meetings (in 2018 there were 7 meetings).

Guy backed Nicole's suggestion to have 4 confirmed meeting times with the other 7 meetings subject to confirmation at a later date if these meetings are necessary.

The next SG meeting was confirmed to take place on Tuesday 25th June 13:00 UTC.

It was decided that the Tuesday 2nd April meeting date will be converted into a casual eduGAIN "Jazz Lounge" / "Surgery" / "Salon" opportunity to meet and discuss various issues. This was because Chris identified that we have a lot of topics that can be covered and the diversity of the services that are being wrapped around eduGAIN. Rhys agreed that having dates/times in diaries is useful and can always be cancelled at late notice and not have any formal SG business. The exact naming of these meetings is undecided.

Expiry of the eduGAIN SG Chair

The eduGAIN Steering Group Chair position that is currently held by Brook Schofield will expire mid-year (a fluid time period between 14th and the 28th of June 2019). It was always a goal for the this position to be held by the community and the merge of TERENA+DANTE in 2014 made this less clear. This is now an opportunity to do exactly this. Chris asked what the role of the chair entails. Only the term of the chair is formalised within the constitution and not the actual role and responsibilities but for practical purposes there needs to be a co-ordinator for SG meetings and the formal processes that the SG is responsible for, particularly the new membership review and approval process (see section 2.2 of the eduGAIN Constitution for more).

There will be a call for nominations in May on the mailing list.

AoB and Close

No other business was raised. The meeting closed on time.