Attendees

Valter Nordh, VN (Chair)

Rob Evans, RE (JISC)

David Groep, DG (Nikhef)

Peter Schober, PSc (ACONET)

Yannis Mitsos, YM (GRNET)

Vicente Goyanes, VG (University of Vigo)

For GÉANT:

Valentino Cavalli VC

Alessandra Scicchitano AS

Nicole Harris NH

Licia Florio LF

Michael Enrico ME

Peter Szegedi PSz

John Dyer JD

1. Wecome agenda bashing and Approval of last meeting minutes - Valter

Valter welcomed the participants.

A review of the actions  of the previous meeting followed. The updated list of actions is shown below.

2. Report from the Advisory Committee Meeting held during TNC and on TNC in general  - Valter,Licia and Peter

VN reported about the last TAC meeting. The meeting was not very interactive, despite some efforts to involve the participants. Clearly a different format is needed to make these meetings more effective. VN noted that the format and the existence of the TAC are being considered as part of the revision of the whole former TERENA Technical Programme.

There were two take away from the last TAC meeting:

• No objections were raised toward the greenhouse project. Plans are to continue this project in a partnership with an existing company that can provide the necessary infrastructure to maintain open-source product.
• Afrodite’s  talk about the lightweight adaption of operations / business support systems (OSS/BSS) architecture developed at GRNET provided some interesting inputs for discussion.  There was some interest although no concrete follow up.

VN asked whether there were other interesting outcome from TNC.

The general feeling was that side meetings are very valuable to TTC members and to many community members. TNC format could be changed to accommodate this need better.

ACTION: The TTC recommends TNC to consider a format where more side meetings are possible. Options could be to close the formal conference one day earlier and use the Thursday for WG meetings only.

Michael Enrico reporter about his conversation with Florence Hudson, the new I2 Chief Innovation Officer, and the innovation package she is working on. I2 seems to be more interested in the Internet of Things (IoT)  compared to the GÉANT community. ME noted that the EC has also allocated significant funding to develop IoT; several EU cities have benefited from that and have become ‘internet ready’.

ME feels that some of NRENs are potentially interested, and that it is still an area to monitor as far as GÉANT is concerned. It is difficult to say which aspect is really relevant for our community, as IoT covers a broad spectrum. There is potential for service offering in the future, maybe related to mobile services (i.e. wide sensor networks based on GSM) and data collected via them.

YM noted that there is a lot of interest in SDN; it is up to GÉANT to implement the recommendations in this place. 

RE noted there is a sufficient interest for next generation network discussion that could justify a SIG-NGN.  In light of the new H2020 a SIG could also be useful to spin off discussions on the preparation of open calls proposal (which are expected to become much more cross e-Infrastructures than what happened in the past) or other community projects.

3. Updates on GEANT (the association) work

• TFs/SIGs updates

  • TF-MNM - NH noted that the Task Force is running out of enthusiasm; when this charter expires we should think of moving tf-mnm to a SIG which would fit more the way the current group operates. The current charter is still the reference under which the group operates, although there is no real concrete output.

    The TF is working closer to eduroam global governance committee and this has provided useful feedback to both groups; it brings the GeGC closer to more concrete aspects of the operations of eduroam as a global service.

    There are less face-to-face meeting lately and more topic-based videoconference, for which there is a lot of enthusiasm.  

  • TF-CSIRT/TI - NH noted that TF-CSIRT is different type of task force, in fact the name task force is probably not really fitting this group. The trusted introducer service and transit report to this TF.

    There is a review ongoing of Trusted introducer, to evaluate if it is still offering the right services to the community  as well as the way in which the service is procured.

    NH reported on the feeling (only shared by some of the participants) that TF-CSIRT can operate independently from the GÉANT. This seems to reflect more the underestimation on what GÉANT offers and the support provided in organising the meetings (which are mini-conferences).

  • TF-MSP - JD reported on the work of TF-MSP. One of the main area of work is the aggregate procurement approach that is gaining significant consensus; there is already collaboration with the service activity in the GÉANT project that procures clouds services. Plans are to expand the framework beyond clouds.

    Another aspect of interest is NRENs Acceptable Use Policy, which is covered for the network services, but it should be expanded to encompass all other services.

    The task-force is healthy and there is still significant attendance and participation during the meetings. There is a lot of interest in the output but not a lot of engagement from the whole group to work towards these outputs. Most of the work seems to fall on a few people. This seems to be a trend in many other activities.

  • TF-WebRTC - PSZ reported that one of the main area of work is the aggregate procurement approach that is gaining significant consensus; there is already collaboration with the service activity in the GÉANT project that procures clouds services. Plans are to expand the framework beyond clouds.

    Another aspect of interest is NRENs Acceptable Use Policy, which is covered for the network services, but it should be expanded to encompass all other services.

    The task-force is healthy and there is still significant attendance and participation during the meetings. There is a lot of interest in the output but not a lot of engagement from the whole group to work towards these outputs. Most of the work seems to fall on a few people. This seems to be a trend in many other activities.

  • TF-STORAGE - PSz The task force is business as usual. There was a gathering at TNC targeted at both the industry and the GÉANT Community. OwnCloud and Zettabox (they work similarly to dropbox but they are EU-based) attended the meeting and presented as well. Aconet, University of Vienna and SWITCH seem to be interested in Zettabox . The plan is to offer that under the  GÉANT cloud service catalogue: https://catalogue.clouds.GÉANT.net/#/cloudservices . 

    The TF-Storage is moving more and more towards cost effective storage. Things like the OwnCloud Agreement and FileSender are out of the task force.

  • SIG-ISM - AS reported that the SIG-ISM has accepted to reopen the group to all interested in ISM, which makes the group to operate beyond the NRENs.

    In the last months the SIG has been particularly active. On the 12th and 13th of May the 1st official workshop was held at the Imperial College in London which was both well attended and received.

    Collaboration with REFEDS has been established and an ongoing one has also started with SCI ( Security for Collaborating Infrastructures)

    The two groups are organizing a joint workshop about security for the 2nd half of October in Barcelona.

  • SIG-NOC - PSz highlighted the SIG-NOC charter the TTC was asked to approve. The aim of SIG-NOC is to create a forum where experts from the community exchange information, knowledge, ideas and best practices about specific technical or other areas of business relevant to the research and education networking community. The group has been shaped following TF-CSIRT model and TRANSIT (train the training), but follows a more light-weighted approach.

    There are a set of KPIs included in the charter to evaluate the performances of the group in one year time.
    RE commented to break out the specific SIG content from the more general part of the SIG template. DG was pleased by the involvement of other networks together with the NRENs.

    The TTC approved unanimously the charter.
    
    

• Services updates

  • Open Cloud mesh (PSz) - Owncloud is active in the Open Cloud mesh, the initiative to interconnect different owncloud instances. OwnCloud has promised to realise the code very soon to the TF.

    Q; Is anyone tracking installation for OwnCloud?

    A: OwnCloud has an agreement with GÉANT but they have bigger customers that are handled independently. We do track the installation that are under the agreement. There is also a closed OwnCloud developer group, for those that are doing development on top of OwnCloud.

• • TCS - TCS is since the July 1^st in production.
    AS noted that DigiCert collaboration is working smoothly. There a was a meeting during TNC to present the new system, which went well. Although the current DigiCert managed portals uses the same attributes that were released before to confusa, some people feel uncomfortable releasing attributes to DigiCert now.
    AS, with the support of the PMT, is working to make it clear to federations and IdPs that the legal framework in place is legally sound for them to release attributes. The service work very well, the support is very good.

• • Trusted Introducer (NH) - The trusted Introducer service is working smoothly. There is a review of the whole service on going which follows a two-phases approach: phase1: May-December and  phase2: Jan-May 2016. More information will be provided at the end of the review process.

4. Global initiatives and Projects - For INFORMATION

AARC – LF gave an update on the AARC project, which started on May 1^st and will run for two years. The first couple of months have been mostly spent on preparing the detailed work plans and on forming the teams. The kick off meeting took place at the beginning of June; it was clearly a very high level meeting, where the various WP leaders presented and validated their initial ideas.

There area two deliverables due at the end of July: one on technical requirements that AARC should focus on to design the integrated architecture and the other on training.

SGA1 (GN4) – GN4 is progressing well; lots of preparation is being spent on the phase two which is expected to start in may 2016. There is a new task that NH is leading that is about looking at some of the requirements and their implications on the IdPs. This offers also an opportunity to link the eduGAIN policy work, the enabling users work and other relevant GÉANT work to REFEDS.

REFEDS – REFEDS celebrated this year its 10^th anniversary. The group is very healthy, there is a lot of discussion on the list and a lot of work to be supported. The work plan is available on the REFEDS wiki as the rest of the material. NH is working with Heather Flanagan to kick of some additional work in the area of virtual organisations and groups. For more information please refer to:

https://wiki.refeds.org/display/WOR/2015+REFEDS+Workplan

5. Events

EWTI - In line of the open actions to cluster events, GÉANT is supporting the preparation of the next EWTI (European Workshop Trust and Identity) which will take place in December. There will be co-located events, such as a REFEDS BoF to prepare for the next workplan and a eduGAIN town hall meeting.

The EWTI event is totally organised by Identinetics GmbH, led by Rainer Horbe. GÉANT main contribution is in the promotion of the event to bring our community there; in return GÉANT community should benefit of some contacts with the government that Rainer has gained during his work as consultant. The MoU is for a one year support; an evolution will follow to decide on how to continue in the future.

Technology Exchange I2 – There will be a main REFEDS events on Sunday before the Technology Exchange meeting starts. Furthermore LF has submitted a request for a WG session to discuss about Sirtfi and assurance. AS has also submit a request for a session to discuss about community requirements as input for the current AARC project as well as consultation for the preparation of the next one.

6. TTC Members updates 

A round table of the TTC members followed.

Vicente Goyanes – It would be helpful if GÉANT could gather and share more information on NRENs international activities and if this information could be shared among universities. As we move towards services a closer interaction among campuses and with campuses and NRENs is needed.

Having the knowledge that the same service is available other countries can trigger discussion on how to access them and how to harmonise them.

JD showed the service matrix (https://compendium.terena.org/reports/nrens_services) , developed as part of the Compendium. This was extremely well received by the TTC. Thanks for Christian Gijtenbeek (developed it) and Jessica Willis for this result.

ACTION: The TTC recommends promoting service matrix widely and to make it easily accessible via the GÉANT website.

ACTION: The TTC recommends the TIC to endorse recommendations at GA level to ensure that more funding is allocated for campuses.

Davig Groep – DG noted the high expectation in AARC on what it can achieve. We should manage this expectation so that communities will not be disappointed.  DG noted that AARC should look at a mechanism to address some general questions coming from the user communities. As an example he referred to a question asked on the RFEDS lists from CERN, which triggered long and convoluted answers, whereas a simple question could have been provided.

Valter  Nordth– Supporting GÉANT in updating the terms of reference for the technical programme. Plans are to present a draft for the next GA in September. Some TTC members’ terms have expired; Valter proposed to prolong the expired mandate until the end of 2015.  No objections were raised.

Peter Schober– IDM Issues in the R&E community

PSc, as part of the more in depth area presentation each TTC member offers, gave an overview of the authentication and authorisation practices in the R&E community.

There is still a lot of phising and asking subjects to use more and more complex passwords obviously won't help there. Mitigation for this are strong authentication, 2-factor authentication, multi-factor authentication, which in practice means a combination of independent authentication methods or technologies.

Yubikey and Google joined the FIDO alliance promoting 2-factor authentication (U2F: "Universal 2nd Factor") specs that use established technologies (RSA public key cryptography) and protocols that are now being integrated into the browser.

Most of the requirements for 2-factor authentication come from the users in the attempt to protect their passwords rather from the resources.

Despite what many believe, the second factor authentication is not really a way to increase the assurance that the credentials are used by the right people. To elevate the insurance other means are needed, i.e. verified process etc. which normally bring up the authentication costs.

A problem institutions still face is the request for password reset, which is still a time consuming operation and affects identity assurance.

PSc touched upon authorisation, which usually presupposes the user has been previously authenticated.

Identity management in the academic space is very complex as there are lots of different roles (and a combination of them at different levels) to handle. For some services authentication and authorisation overlap, but in general this is not a good practice. Commercial companies are expanding the authentication process with data mining, taking into account an ever growing list of contextual and environmental factors (OS, browser fingerprinting, IP addresses, geolocation, etc.)

Academic licenses can be complex so it is very difficult to translate them into operational procedures. An example of this is Clarin where the authorisation parameter chosen is to allow access to resources to "academics". They basically mapped a grant of rights limited to specific uses ("for educational, teaching or research purposes") into an authorisation process, not realising that there is no generally agreed upon concept (nor machine-consumable information in institutional IDM systems) for "academic". This approach is causing problems, as it's based on a fundamental misconception: No IDM process/authorisation attribute can ever give the license holder the assurance that the subject accessing the resource will be using it in accordance with the license terms.

PSc also touched upon provisioning, the process to make sure that data to be used in distributed environments are available in different places. One approach is to push the data to all applications for when they are needed ("just in case"); this model has issues with federated approaches as the number of applications might be huge, rapidly changing or unkown in advance.. The other approach is to provision the data when needed ("just in time"), which has issues with authorisation (e.g. authorising someone can only happen after they has been provisioned a local account for a person), resulting in awkward workflows. E.g. having to ask (and wait for) a group of people to log in to a system first (in order to get their accounts provisioned "just in time"), at which point those subjects do not have access to the resource, and then authorise them later (and ask the subjets to return after they have been properly authorised).

De-provisioning is normally not properly done, though there's some support in the protocols used; the general approach followed is to reset the password at the Identity Provider (and leave the data at SPs to rot).

The last part of the talk covered attributes and its usage. Typical problems in this area:

• • Agreeing on the syntax and semantics
  • The complexity of storing and processing Humans names from different cultures
  • Identifiers and their many properties
  • Who gets the attributes the IdP releases
  • Who decides based on what.

Currently the R&E community is using two main approaches or even a mix of them: a risk-based approach (REFEDS R&S) vs a full compliance one (GÉANT CoCo).

Lastly Peter touched upon eduGAIN and related services offered by GÉANT. Thanks to the work done by the community within the GÉANT project and within REFEDS, it is now much easier for an NREN to create a federation: there's a federation policy template, best practice documents, there is FaaS (video showcase) that offers a SAML entity registry, metadata aggregation, plus secure signing with a HSM (which makes support for local installation impossible), information on entity categories, discovery documentation and so on. 

PSc’ s presentation covered many interesting aspects; some TTC members asked which areas NRENs are really focusing on. 

ACTION: Peter to review his slides and distill what is being worked on and what is not being worked on.

 7. Next Meetings

There will be two upcoming meetings:

-       September 30^th - a videoconference meeting to report on the revised technical programme

-       November 24^th – Face-to-face meeting

8. Summary of the ACTIONS