Versions Compared

Old Version 118

changes.mady.by.user Ann Harding

Saved on

compared with

New Version 119

changes.mady.by.user Ann Harding

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Title

Investigate and test privacy enhancing technologies

Description

During REFEDs at TechEx2017,and later-on during TechEx2017 itself, a interesting discussions developed over the future of federation, the role of users and the use/rise of proxy technology.

This activity investigates and showcases privacy enhancing technologies including, but not limited to, PEP (Polymorphic Encryption Pseudonyms) (1) and IRMA (I reveal my attributes) (2) and tests and validates applicability and usecases of these in the context of R&E federations and eduGAIN.


SURFnet has build some experience with these technologies on a national level, and has for example implemented PEP into commonly used software products like ADFS, Shibboleth and SimpleSAMLphp. In regard to IRMA, it has now been enable in pilot for both SURFconext federation as well as the IDIN Bank ID federation. We feel these technologies have significant promise, but would like to validate this in international context. We would also like to learn about other alternative strategies and solutions that may help us to shape the future of our identity federations.

ProposerNiels van Dijk, SURFnet
Resource requirements
  • Other technologies to showcase other then PEP and IRMA
  • Participants for pilots
  • People with good ideas
+1's(SURFnet)
References

(1) https://blog.surf.nl/en/privacy-surfconext-using-polymorphic-pseudonyms/

(2) https://privacybydesign.foundation/irma-en/


Title

Two Factor (something)

Description

  • Drive two factor towards ubiquity with low cost - create an eduToken (for the users that do not have a phone; critical mass can bring down the price even more. It can be implemented as a kickstarter campaign).

    • Challenges in deploying multi-factor in EU, partially due to the costs and partially due to the cost involved. A cost-effective approach would help.

    • An edu-token  as  a separate ‘token’ may reintroduce token management aspects (losing the token etc)

    • management is (will be even more) a non issue as the majority of people will use phones. We should strike for that.

    • Technically this problem can be solved, taking the above considerations into account.
      The real problem is how to scale the token vetting over EU. This is especially challenging for research collaborations.
ProposerFrom data gathering exercise
Resource requirements<money? effort? coordination? infrastructure?>
+1's<for others to voice their support - add your name here>
-1'sWolfgang Pempe, DFN: I believe this is out of scope for GÉANT, you would need a dedicated organization for that purpose

update SAML tracer - get this done in GN4-2

Description

The SAML Tracer (https://addons.mozilla.org/nl/firefox/addon/saml-tracer/) is a highly rated firefox plugin which was developed in our community (UNINETT, with contributions from others). As the browser is the central entity in any SAML transaction, it is extremely convenient tool for testing en debugging SAML transactions. There are not many alternatives to this tool

Unfortunately, Firefox has changed its plugin framework, rendering the existig plugin useless and a major rework is needed.

ProposerNiels van Dijk, SURFnet
Resource requirements

Money, a (junior) developer

+1's

Stefan Winter

Scott Koranda, LIGO

Nick Roy, InCommon

Thomas Lenggenhager, SWITCH:Feasibility to provide also a version for Safari compatible version? Thanks José Manuel, I now found the SAML Chrome Panel!

Pieter van der Meulen (SURFnet)

Michael Domingues (University of Iowa)

José Manuel, RedIRIS/SIR. Regarding Thomas question, there's a SAML Chome Panel extension for Chrome

Wolfgang Pempe, DFN

MIchael Brogan (University of Washington)

Nate Klingenstein (The California State University)

Marcus Mizushima (The California State University)

Andrew Morgan (Oregon State University)

David Bantz (U Alaska)

Brent Putman (Georgetown University, Shibboleth Developer Team)

Liam

Title

update SAML tracer - get this done in GN4-2

Description

The SAML Tracer (https://addons.mozilla.org/nl/firefox/addon/saml-tracer/) is a highly rated firefox plugin which was developed in our community (UNINETT, with contributions from others). As the browser is the central entity in any SAML transaction, it is extremely convenient tool for testing en debugging SAML transactions. There are not many alternatives to this tool

Unfortunately, Firefox has changed its plugin framework, rendering the existig plugin useless and a major rework is needed.

ProposerNiels van Dijk, SURFnet
Resource requirements

Money, a (junior) developer

+1's

Stefan Winter

Scott Koranda, LIGO

Nick Roy, InCommon

Thomas Lenggenhager, SWITCH:Feasibility to provide also a version for Safari compatible version? Thanks José Manuel, I now found the SAML Chrome Panel!

Pieter van der Meulen (SURFnet)

Michael Domingues (University of Iowa)

José Manuel, RedIRIS/SIR. Regarding Thomas question, there's a SAML Chome Panel extension for Chrome

Wolfgang Pempe, DFN

MIchael Brogan (University of Washington)

Nate Klingenstein (The California State University)

Marcus Mizushima (The California State University)

Andrew Morgan (Oregon State University)

David Bantz (U Alaska)

Brent Putman (Georgetown University, Shibboleth Developer Team)

Liam Hoekenga (University of Michigan)

Terry Smith (AAF)

Dalia Abraham (AAF)

Daniel Lutz (SWITCH)

Etienne Dysli Metref (SWITCH)

Martin Haase (DAASI)

Rod Widdowson (Steading System Software, Shibboleth Developer Team)

Allan West (University of Florida)

Dominique Petitpierre (University of Geneva)

Cédric BRINER (University of Geneva)

Eric Yurick (Gettysburg College)

Vlad Mencl (Tuakiri/REANNZ)

Above and Below eduGAIN (inc. eScience requirements driven activities)

eduTEAMs Related

Title

Placeholder to include (and potentially continue) some of AARC work

Description

I would like to have a placeholder to include work that my be triggered by the revisited list of FIM4R requirements, as well as by AARC.  Furthermore, I'd also like to include in this box liaisons with EOSC hub concerning their T&I architecture developments and adoption/support of FIM technologies. This item cannot and should not be more specific than this at this point in time.

ProposerLicia Florio
Resource requirementsCoordination work, resources
+1's<for others to voice their support - add your name here>


Title

eduTEAMS enhancements

DescriptioneduTEAMS work is progressing; there are different options for deploying eduTEAMS. This work item looks at the requirements for eduTEAMS when used by eScience collaborations. There will be lessons learned after the pilot with the life science community. I propose we have a placeholder so work on this does not go off radar during the planning.
ProposerLicia Florio
Resource requirementsEffort mostly
+1's<for others to voice their support - add your name here>


Constantin Sclifos, RENAM
Title

Discovery for Attribute Authorities (AAs)

Description

Users can select their IdP via discovery, therefore the SP can potentially receive users from thousands of IdPs.

There is no such facility for AA-s however, meaning that SP-s need to hard-configure which AAs they query. Also, query all the configured AAs for all users all the time.

In GN4-1-JRA3-T1 it has been established that this is a serious bottleneck, as maximum 2-3 AAs can be queried without breaking the entire login session.

A better approach is needed. The SPs need to query AAs selectively, based on either user input or some alternative means, like some VO lookup service. Otherwise all SPs will just stick with the biggest AAs like eduTEAMS basic membership service or hexaa.eduid.hu and not query alternative entities, making single-tenant AAs very unattractive.

ProposerMihály Héder
Resource requirements

This is a hard one. Currently there is no support for any elements of this whatsoever

  • Standardization
  • SAML Stack development
  • blood and sweat
+1's

Otherwise all SPs will just stick with the biggest AAs like eduTEAMS basic membership service or hexaa.eduid.hu and not query alternative entities, making single-tenant AAs very unattractive.

ProposerMihály Héder
Resource requirements

This is a hard one. Currently there is no support for any elements of this whatsoever

  • Standardization
  • SAML Stack development
  • blood and sweat
+1'sConstantin Sclifos, RENAM
-1'sWolfgang Pempe, DFN: Such a dynamic approach would raise issues concerning trust and privacy. An attribute authority must be in control of the list of SPs that are entitled to perform attribute queries and (possibly) recieve PII.


StepUp

Title

Two Factor (something)

Description

  • Drive two factor towards ubiquity with low cost - create an eduToken (for the users that do not have a phone; critical mass can bring down the price even more. It can be implemented as a kickstarter campaign).

    • Challenges in deploying multi-factor in EU, partially due to the costs and partially due to the cost involved. A cost-effective approach would help.

    • An edu-token  as  a separate ‘token’ may reintroduce token management aspects (losing the token etc)

    • management is (will be even more) a non issue as the majority of people will use phones. We should strike for that.

    • Technically this problem can be solved, taking the above considerations into account.
      The real problem is how to scale the token vetting over EU. This is especially challenging for research collaborations.
ProposerFrom data gathering exercise
Resource requirements<money? effort? coordination? infrastructure?>
+1's<for others to voice their support - add your name here>
-1'sWolfgang Pempe, DFN:
Such a dynamic approach would raise issues concerning trust and privacy. An attribute authority must be in control of the list of SPs that are entitled to perform attribute queries and (possibly) recieve PII.
I believe this is out of scope for GÉANT, you would need a dedicated organization for that purpose


Title

eduTEAMS and guest IdPs

DescriptioneduTEAMS and guest IdPs - use-cases: need to support social IDs and guest IdP, but it need additional LoA. Step up authN as a service is in the plan
Proposerfrom data gathering exercise
Resource requirements<money? effort? coordination? infrastructure?>
+1'sisn't this the work being done in IoLR +REFEDS?

...