Please Note that the above time is CONFIRMED.
Arrival & "Can you hear me now?" (see Connection Details)
Welcome, Introductions & Agenda Agreement
|Membership Updates and Joining|
eduGAIN MDS Certificate Rollover
eduGAIN "raising the bar"
Future SG Meetings
Expiry of the eduGAIN SG Chair
Any other business, Summary and Actions.
Meeting ID: 114 216 575
Join Zoom Meeting https://geant.zoom.us/j/114216575
One tap mobile
Find your local number: https://zoom.us/u/ac9mLp9qEL
Join by H.323
The Chair welcomed everyone to the 1st meeting of 2019.
See the& Previous Meeting notes. The major open action will be covered within the meeting.
eduGAIN has reached the milestone of 60 participant federations with Turkey/YETKIM. Their membership and inclusion into eduGAIN was historic and before a time that the SG took a vote. Since that time the constitution has changed, the policy + MRPS templates were created and the new SAML profile decided (and adopted for new participants). Currently Turkey/YETKIM is without a policy + MRPS and complies with the new SAML profile.
There are 10 candidate federations and two (2) are becoming ready for assessment:
Also two (2) new candidates:
For details on new members and candidates see https://technical.edugain.org/status and work on progressing new members is underway.
The certificate that transports the signing key for MDS will expire on 1 July 2019. It is known that some metadata management tools will have problems with this certifcate expiry even though they should only be using the key. This will necessitate some changes to MDS operations for the short and long term.
Tomasz Wolniewicz from the eduGAIN Operational Team explained that there will be a period where the certificate is regenerated with the same key material. Some products will need to update to this new certificate. Those that rely on the key will be unaffected. An exact list of software is unknown at this point in time.
In the longer term there will be a plan to generate new key/certificate in a signing ceremony and this process will be subject to community oversight. There is a working group consisting of Leif Johannsson, David Groep, Brook, Nicole and the eduGAIN OT to work through these issues to make the process transparent.
Rhys (followed up by Guy) asked about HSM usage - and the CrypTech/Diamond Key HSM is being investigated as well as options to "rent" an HSM space from GÉANT partner NRENs or cloud operators. Tomasz explained that signing speed requirements of MDS is very modest and USB Token HSM devices could also be an option. Davide commented that the Diamond Key Platform HSM doesn't have Common Criteria nor FIPS 140-2 certification and that even using certified hardware requires the use of a toolchain that is not audited. The chair explained that we'll be looking at what is needed to maintain trust in the entire signing process from key material generation, toolchain process and storage and not reduce the communities trust in our process.
Chris asked whether eIDAS required certain certifications. Davide explained that ISO27001 and FIPS 140-2 for identity providers but this isn't a goal for eduGAIN to have such a role.
The eduGAIN Compliance Issues wiki page has been to be updated and this is an ongoing process. There are 5 federations that still have work to do in this space (namely Denmark/WAYF, Finland/Haka, Portugal/RCTSaai, Chile/COFRe and Argentina/MATE). Unfortunately MATE have become unresponsive but work is active with the remaining parties which only have single issues to resolve. When should we start the clock on mandating compliance with the SAML profile? The profile is imposed on new participants but these 5 federations are still needing to align with this.
Nicole started discussion with the community by saying that a deadline was required as we've negotiated this process over a long period of time. Guy asked what the consequenses of a deadline that doesn't have concrete action as a result. Tomasz reminded all that ALL federations would need to be checked to see if their compliance had regressed.
Chris recounted the InCommon baseline expectations timeline which had an escalation to the signing authority, after informing the technical people that this would be done to focus the attention of the federation to this deadline.
It was agreed that this process will be followed. Technical staff will be informed of the deadline and telling them that this will be escalated to their management.
The Metadata Registration Practice Statement also has a previously agreed deadline of 1 April. Though no formal action was decided as a result of this.
Chris agreed that the same timeline for MRPS should be followed for the SAML profile without conflating these issues being the same thing.
Davide further suggested an escalation from 1 April until the next eduGAIN steering group meeting (86 days between 1 April and decided date of 25 June).
If all federations are compliant with the SAML profile 45 days after the 1 April window (15 May) then the SAML profile will be activated. An escalate to management will occur after this time for those federations not in compliance.
An update to the assessment of the MRPS should be completes as soon as possible and conveyed to all federations for a report ahead of the 1 April deadline. Those federations not in compliance aren't in the call at the moment and thus the process should have a soft penalty.
A meeting schedule was suggested on the mailing list and commentary seemed to ebb and flow between 4 and 11 meetings (in 2018 there were 7 meetings).
Guy backed Nicole's suggestion to have 4 confirmed meeting times with the other 7 meetings subject to confirmation at a later date if these meetings are necessary.
The next SG meeting was confirmed to take place on Tuesday 25th June 13:00 UTC.
It was decided that the Tuesday 2nd April meeting date will be converted into a casual eduGAIN "Jazz Lounge" / "Surgery" / "Salon" opportunity to meet and discuss various issues. This was because Chris identified that we have a lot of topics that can be covered and the diversity of the services that are being wrapped around eduGAIN. Rhys agreed that having dates/times in diaries is useful and can always be cancelled at late notice and not have any formal SG business. The exact naming of these meetings is undecided.
The eduGAIN Steering Group Chair position that is currently held by Brook Schofield will expire mid-year (a fluid time period between 14th and the 28th of June 2019). It was always a goal for the this position to be held by the community and the merge of TERENA+DANTE in 2014 made this less clear. This is now an opportunity to do exactly this. Chris asked what the role of the chair entails. Only the term of the chair is formalised within the constitution and not the actual role and responsibilities but for practical purposes there needs to be a co-ordinator for SG meetings and the formal processes that the SG is responsible for, particularly the new membership review and approval process (see section 2.2 of the eduGAIN Constitution for more).
There will be a call for nominations in May on the mailing list.
No other business was raised. The meeting closed on time.