Please Note that the above time is CONFIRMED.
Arrival & "Can you hear me now?" (see Connection Details)
Welcome, Introductions & Agenda Agreement
|Membership Updates and Joining|
eduGAIN "the brand" (based on Haka email to eduGAIN-SG Mailing List)
Future SG Meetings
Any other business, Summary and Actions
Meeting Close (or we are running over time).
The Chair welcomed everyone to the 7th meeting of 2018.
For details on new members and candidates see https://technical.edugain.org/status and work on progressing new members is underway.
The three (3) outstanding actions will remain outstanding. They have due dates in 2019 and are being actively worked on.
The eduGAIN Compliance Issues are being worked through and we are making progress on support for the SAML2 profile being mandated.
Nick stated that InCommon have a new engineer and a major impediment to their support is not being able to modify members metadata without positive action by participants and there is work ongoing to address this.
Chris reported that CAF is looking at their lack of an MRPS.
Guy's questioned why the existing validator exists and why can't the new validator be visible to send the correct message to federation. About the "why" Tomasz answered that there are legacy rules for existing participants but this will be rolled forward once everyone is ilne. This approach was backed by Nick and Rhys. Guy clarified that there are warnings that are not issues in the new validator and the OT will investigate and remove inconsistencies between the two.
Farhan asked about what they should do regarding the SIFULAN signing key. While no immediate action is requried advice was given by the community with Chris clarifying that any change is only for upstream metadata.
Guy asked about ECC certificates. Stefan has tried that. Maja to clarify if the MDS+Validator can do this. Rhys questioned by ECC rather than 4k keys? Guy has a scenario with his HSMs that doesn't support >2k RSA keys but does support ECC - smaller new federations might want to use USB based HSMs (Nitrokey, Cryptosick, et al) to gain experience before investing in more costly ones, and many of these still only support 2K keys but do aslo support ECC, so a 3K restriction rules out these HSMs. ECC is a path forward. Rhys said that this should be started and there can be a phased approach to move toward endpoint testing/support for ECC certificates.
Based on the email by the Haka federation to the eduGAIN-SG Mailing List on 5th October there was a discussion about eduGAIN "the brand".
Nick stated that HAKA requires signed authentication requests from SPs and this could cause some interoperability problems and isn't included in the next version of SAML2Int.
Timo clarified that this message was a request from the HAKA Steering Group and wasn't universally supported by the HAKA team. They are wanting services to adopt eduGAIN.
Nick stated that the REFEDS Service Catalogue paper released by Heather could be used to highlight services.
Chris Phililps stated that use of eduGAIN witihn CAF is significant but they want it to be increased and improve the knowledge of reachability of services for key researchers (not just overall volume of users).
Miro stated "Catalogue for End Users". Chris suggested "Service Directory". Nick Roy said a quick win could be the adding of search over MDUI Display Name within MET. Tomasz said that the eduGAIN entities database has this feature but lacks URLs. Nick also suggested that having a button/form to request services being exported to eduGAIN could also be made available. Chris Phillips stated that some members of CAF have had the issue that there are services that aren't accessible (because they aren't in eduGAIN). Nick mentioned the ability to decorate entries within MET. Once we have a repository of this data we could drive discovery services via those feeds.
The REFEDS 2019 work plan is currently being prepared. Common requests for "what's in eduGAIN" from federation will be taken on board in the next iteration of the GÉANT project (GN4-3 to start in 2019).
Scott Koranda is unable to join todays meeting. There are regular SIRTFI conference calls co-ordinated by Tom Barton. At the last call (last Thursday) there was a request to send this information to the eduGAIN SG for their comment on whether the output of the SIRTFI+ registry is likely to be injested into eduGAIN (or how would federations make this available). The TechEx SIRTFI presentation slides are also available to inform the SG of the progress of SIRTFI and SIRTFI+ registry work.
Rhys stated that SIRTFI+ creates an attack point that undermines the integrity of the federation trust model. The act of "merging" metadata isn't possible in any software. The order of import is importand - it is unknown in various federation tools but the handling of this isn't consistent between tools.
Nick Roy stated that if the SIRTFI decoration is imported into eduGAIN then the entity isn't decorated in their home federation.
Chris said there are a lot of unknowns in the area of this registry. "Sympathetic" tagging of R&S in CAF if they see it tagged in another federation.
Chris asked about SIRTFI for OIDC? No, or at least not yet. Davide is aware and it will likely be future work.
Rhys is going to deep dive into the SIRTFI mailing lists to understand their goals/posture. Davide stated that interferring with the integrity of a federation is a real problem.
Nick said for the both of the SIRTFI simulations there was a need to get in touch with the federation security contact. Adding a security contact to technical.edugain.org is important.
Questions were asked on whether this should be a URL or an email address (mailto:) or (tel:). Pål asked whether we do SIRTFI for the federation?
RENISAC is the group that co-ordinates R&E security coordination for the InCommon community with almost universal coverage.
Goals for security contact information is to:
Autopopulation of the security contact with contact email address isn't acceptable as the security contact should at least understand TLP for sharing information.
There is no further meetings in 2018.