Meeting Date: 9th February 2022, 14:00 CET.
Attendees: Steve Glover, Casper Dreef, Nicole Harris, Terry Smith, Davide Vaghetti, Alex Stuart, Guy Halse, Kevin Hickey, Pal Axelsson, Meshna Koren, Alan Buxey, Maarten Kremers, Daniel Muscat, Dean Flanders
Agenda:
- Discuss Goal 1 of the Charter
- Review recommendation summaries from each meeting.
After this meeting we will have reviewed all the goals. At this point I would propose the secretariat makes the first attempt at drafting a recommendations document and shares with the group for comment. Lets take a 4 week cycle for this? Working doc
Recommendations so far:
Recommendations (governance discussion) |
---|
Address the low attendance and low input at eduGAIN meetings by creating an eduGAIN Steering Committee (elected) and hold an annual assembly with all of the current SG |
Improve participation in leadership from non-federation members |
Have a consistent approach to how federations are expected to publish metadata downstream |
Improve consistency of federation policies |
Consider levels (max 3) that apply to all IdPs |
Improve joining process for new entities |
Support implementation of baseline expectations (see goal 1) |
Recommendations (service model discussion) |
---|
Have a consistent approach to how federations are expected to publish metadata upstream and downstream |
Improve positioning of Seamless Access in relation to eduGAIN |
Review eduGAIN mission statement |
Consider levels (max 3) that apply to all IdPs (Anon, Pseudon, Personalised) plus CoCo, Sirtfi, Assurance |
Baseline Requirement | Potential eduGAIN Improvements |
---|---|
[FO1] You focus on trustworthiness of Federation as a primary objective and are transparent about such efforts |
|
[FO2] You publish contact information and respond in a timely fashion to operational issues |
|
[FO3] You apply security practices to federation operations and ensure timely incident response |
|
[FO4] You follow good practices to ensure authentic, accurate and interoperable metadata to enable secure and trustworthy federated transactions |
|
[FO5] You implement and support frameworks that improve trustworthy and scalable use of Federation and promote their adoption by members and other participants |
|
[FO6] You collaborate with other organisations to promote realization of baseline expectations nationally and internationally |
|
Notes:
FO1: comments and additions
Davide: some of the potential improvements are linked. Violations & filtering and the decision making (governance structure).
Guy: +1. Not an agile governance model.
Meshna: Where lies the difficulty? Technical or policy?
Davide: The constitutions doesn't allow us to filter entities on the eduGAIN level.
Nicole: The potential impact when taking an IdP down.
Alex: eduGAIN isn't required to publish everything from the upstream feeds.
Davide: Process driven.
Alan: Rules aren't clearly written. It is the FO responsibility to provide clean MD. First step: agreement between FO and eduGAIN to allow filtering.
Guy: Wide range of technical and support abilities. We could do this differently for different federations.
Nicole: Different service models for different types of federations.
Pal: FO still need to take/stay responsible for their MD. Be careful with wording.
Meshna: A need for an entity in Federation X to address changes with other federations?
Nicole: Testing security and technical
FO2:
Guy: eG obligation that ...
Alex: Scrap enforcing non-personal accounts
Daniel: Could cause GDPR issues
Terry: Self-service.
Alex: EntitiesDiscriptor has an element. URI, URL and contact address.
Meshna: Self-service is great, but you need a central contact.
Pal: Yearly comms-check. Yearly compliance check.
Terry: Use a token fee?
FO3:
Pal: We have stuff to utilise. Handbook, WG, Sec Team.
Nicole: SIRTFI wasn't mentioned. Should this be considered?
Pal: Later on. Managed approach. Short term at federation level.
Meshna: The environment is not ready for SIRTFI yet. Make SIRTFI approachable for non-techs. Describe scenarios. Determine smallest minimun requirement in certain situation more helpful than mandating.
Guy: Unlink security contact from SIRTFI. Upping the bar over time.
Maarten: Here also FO1 come into place. Governance model to get this done.
Terry: Using tiers rather than bars. Encourage to take the next step.
Davide: 1. currently over 30% SIRTFI entities, concentrated in limited number of federations. Agree with gradual progress
Pal: REFEDS is working on a new version, easier to understand. Adoption by key services is required. We need to talk about eduGAIN baseline level.
FO4:
Pal: We have a SAML profile, but may want to rework that.
Alex: Tune up the existing tools.
Pal: Should we a propagation time limit?
Davide: SAML2int? Not a minimal requirement.
Alan: Point back to FO1
FO5:
Pal: To make eG work seamlessly this needs to be promoted, rather than enforced.
Davide: How to implement them in your federation? No agreement on this. eG may fill the gap here.
FO6:
Pal: actively track if federations are also implenting baseline.
Skip next meeting (23 Feb).