Attendees

Valter Nordh, VN (Chair)

Rob Evans, RE (JISC)

David Groep, DG (Nikhef)

Peter Schober, PSc (ACOnet)

Yannis Mitsos, YM (GRNET)

Vicente Goyanes, VG (University of Vigo)

For GÉANT:

Valentino Cavalli VC

Alessandra Scicchitano AS

Nicole Harris NH

Licia Florio LF

Michael Enrico ME

Peter Szegedi PSz

John Dyer JD

1. Wecome agenda bashing and Approval of last meeting minutes - Valter

Valter welcomed the participants.

A review of the actions  of the previous meeting followed. The updated list of actions is shown below.

2. Report from the Advisory Committee Meeting held during TNC and on TNC in general  - Valter,Licia and Peter

VN reported about the last TAC meeting. The meeting was not very interactive, despite some efforts to involve the participants. Clearly a different format is needed to make these meetings more effective. VN noted that the format and the existence of the TAC are being considered as part of the revision of the whole former TERENA Technical Programme.

There were two take away from the last TAC meeting:

• No objections were raised toward the greenhouse project. Due to lack of resources, the only option to establish a Greenhouse framework would be via a partnership with an existing company that can provide the necessary infrastructure to sustain open-source products.
• Afrodite’s  talk about the lightweight adaption of operations / business support systems (OSS/BSS) architecture developed at GRNET provided some interesting inputs for discussion.  There was some interest although no concrete follow up.

VN asked whether there were other interesting outcome from TNC.

The general feeling was that side meetings are very valuable to TTC members and to many community members. TNC format could be changed to accommodate this need better.

Recommendation: The TTC recommends TNC to consider a format where more side meetings are possible. Options could be to close the formal conference one day earlier and use the Thursday for WG meetings only.

Michael Enrico reported about his conversation with Florence Hudson, the new I2 Chief Innovation Officer, and the innovation package she is working on. I2 seems to be more interested in the Internet of Things (IoT)  compared to the GÉANT community. ME noted that the EC has also allocated significant funding to develop IoT; several EU cities have benefited from that and have become ‘internet ready’.

ME feels that some of NRENs are potentially interested, and that it is still an area to monitor as far as GÉANT is concerned. It is difficult to say which aspect is really relevant for our community, as IoT covers a broad spectrum. There is potential for service offering in the future, maybe related to mobile services (i.e. wide sensor networks based on GSM) and data collected via them.

YM noted that there is a lot of interest in SDN; it is up to GÉANT to implement the recommendations in this place. 

RE noted that there is sufficient interest for next generation network discussion that could justify a SIG-NGN.  In light of the new H2020 a SIG could also be useful to spin off discussions on the preparation of open calls proposal (which are expected to become much more cross e-Infrastructures than what happened in the past) or other community projects.

ACTION: RE to start the preparation for the SIG-NGN

3. Updates on GEANT (the association) work

• TFs/SIGs updates

  • TF-MNM - NH noted that the Task Force is running out of enthusiasm and suggested that when its charter expires we should think of moving tf-mnm to a SIG which would fit more the way the current group operates. The current charter is still the reference under which the group operates, although there is no real concrete output.

    The TF is working closer to eduroam global governance committee and this has provided useful feedback to both groups; it brings the GeGC closer to more concrete aspects of the operations of eduroam as a global service.

    There are less face-to-face meeting lately and more topic-based videoconference, for which there is a lot of enthusiasm.
    
    
  • TF-CSIRT/TI - TF-CSIRT is a different type of task force, in fact the name task force is probably not really fitting this group as the Trusted Introducer service and TRANSITS training  are part of the TF-CSIRT service umbrella.

    There is a review ongoing of Trusted Introducer, to evaluate if it is still offering the right services to the community  as well as the way in which the service is procured.

    NH reported on the feeling (only shared by some of the TF-CSIRT participants) that TF-CSIRT can operate independently from the GÉANT. This seems be based on some underestimation on what GÉANT offer in terms of support and coordination not only in organising the meetings (which are mini-conferences) but also in preparing minutes and handling administrative work.
    
    
  • TF-MSP - One of the main area of work is the aggregate procurement approach that is gaining significant consensus; there is already collaboration with the service activity in the GÉANT project that procures clouds services. Plans are to expand the framework beyond clouds.

    Another aspect of interest is NRENs Acceptable Use Policy, which is covered for the network services, but it should be expanded to encompass all other services.

    The task-force is healthy and there is still significant attendance and participation during the meetings. There is a lot of interest in the output but not a lot of engagement from the whole group to work towards these outputs. Most of the work seems to fall on a few people. This seems to be a trend in many other activities.
    
    
  • TF-WebRTC - The TF work is linked to the counterpart Service Activity in the GÉANT project (Real-Time Applications and Multimedia Management), in fact the TFs can be considered the outreach of the GÉANT-funded WebRTC work.

    There is interest in some NRENs in open source solutions 1  (JITSI). Work to this extend is being carried out as a joint effort  in the task force and the service activity in GÉANT with the aim to implement an open source platform. The idea is to create a trust an API on top of the secure and trusted WebRTC platform operated by GÉANT. Plans are also to use the task force to create and hackathon to reach out more developers.

    PSz said we should focused on the GN3plus EC review recommendation “the network is not so interesting but the applications on top of that are”.

  • TF-STORAGE - PZs reported that the task force is business as usual. There was a gathering at TNC targeted at both the industry and the GÉANT Community. OwnCloud and Zettabox (they work similarly to dropbox but they are EU-based) attended the meeting and presented as well. Aconet, University of Vienna and SWITCH seem to be interested in Zettabox . The plan is to offer that under the  GÉANT cloud service catalogue: https://catalogue.clouds.GÉANT.net/#/cloudservices . 

    The TF-Storage is moving more and more towards cost effective storage. Things like the OwnCloud Agreement and FileSender are out of the task force.

  • SIG-ISM - AS reported that the SIG-ISM has accepted to reopen the group to all parties interested in ISM, which in principle makes the group available for participation beyond the NRENs community. The aim of this SIG is to create a community of security management professionals in the NRENs and to discuss security management and security standards at NRENs level.

    In the last months the SIG has been particularly active. On the 12th and 13th of May the 1st official workshop was held at the Imperial College in London which was both well attended and received. Alf Moens (SURFnet) gave a presentation of the SIG during the last REFEDS meeting with the aim to raise awareness on the group, which could provide support for federations and any identified security risks. 

    The SIG as part of their outreach has also established a communication with the Security for Collaboration Infrastructure group (SCI, https://www.eugridpma.org/sci/) a collaboration of security staff from several large-scale distributed computing infrastructures, including EGI, OSG, PRACE, wLCG, and XSEDE. The two groups are organizing a joint workshop to be held in the 2nd half of October in Barcelona.

  • SIG-NOC - PZs presented the aim of SIG-NOC, that is to create a forum where experts from the community exchange information, knowledge, ideas and best practices about specific technical or other areas of business relevant to the research and education networking community. The group has been shaped following TF-CSIRT model and TRANSIT (train the training), but follows a more light-weighted approach.

    There are a set of KPIs included in the charter to evaluate the performances of the group in one year time. RE commented to break out the specific SIG content from the more general part of the SIG template. Staff commented that the specific ToR were indeed an instantiation of a generic template that would be reused in all similar cases. DG was pleased by the involvement of other networks together with the NRENs.

    ACTION: PSz to inform the team the TTC approved the SIG-NOC unanimously

• Services updates

  • Open Cloud mesh (PSz) - Owncloud is active in the Open Cloud mesh, the initiative to interconnect different owncloud instances. OwnCloud has promised to release the code very soon to the TF.

    In response to a question on whether the installion code cof OwnCloud is tracked, PSz answered that OwnCloud has an agreement with GÉANT; however they also have bigger customers that are handled independently. We do track the installation that are under the agreement. There is also a closed OwnCloud developer group, for those that are doing development on top of OwnCloud.

• • TCS - TCS is since the July 1^st in production.
    AS noted that DigiCert collaboration is working smoothly. There a was a meeting during TNC to present the new system, which went well. Although the current DigiCert managed portal uses the same attributes that were released before to confusa, some people feel uncomfortable releasing attributes to DigiCert now.
    AS, with the support of the PMT, is working to make it clear to federations and IdPs that the legal framework in place is legally sound for them to release attributes. The service works very well, the support is very good.

• • Trusted Introducer (NH) - The trusted Introducer service is working smoothly. There is a review of the whole service on going which follows a two-phases approach: phase1: May-December and  phase2: Jan-May 2016. More information will be provided at the end of the review process.

4. Global initiatives and Projects - For INFORMATION

AARC – LF gave an update on the AARC project, which started on May 1^st and will run for two years. The first couple of months have been mostly spent on preparing the detailed work plans and on forming the teams. The kick off meeting took place at the beginning of June; it was clearly a very high level meeting, where the various WP leaders presented and validated their initial ideas.

There area two deliverables due at the end of July: one on technical requirements that AARC should focus on to design the integrated architecture and the other on training.

SGA1 (GN4) –GN4 is progressing well; lots of preparation is being spent on the phase two which is expected to start in may 2016.  PDOs are involved in the following activities:

• Coordination of the service activity Real Time Application and Multimedia management – PSz
• There is a new task (Harmonisation), led by NH, which is part of the service activity Trust and Identity Service Development (coordinated by Ann Harding). This task is about looking at some of the requirements and their implications on the IdPs. This offers also an opportunity to link the eduGAIN policy work, the enabling users work and other relevant GÉANT work to REFEDS.
• eduGAIN service coordination led by Brook.

REFEDS – REFEDS celebrated this year its 10^th anniversary. The group is very healthy, there is a lot of discussion on the list and a lot of work to be supported. The work plan is available on the REFEDS wiki as the rest of the material. NH is working with Heather Flanagan to kick of some additional work in the area of virtual organisations and groups. For more information please refer to:

https://wiki.refeds.org/display/WOR/2015+REFEDS+Workplan

5. Events

EWTI - In line of the open actions to cluster events, GÉANT is supporting the preparation of the next EWTI (European Workshop Trust and Identity) which will take place in December. There will be co-located events, such as a REFEDS BoF to prepare for the next workplan and a eduGAIN town hall meeting.

The EWTI event is totally organised by Identinetics GmbH, led by Rainer Horbe. GÉANT main contribution is in the promotion of the event to bring our community there; in return GÉANT community should benefit of some contacts with the government that Rainer has gained during his work as consultant. A one year MoU has been signed between the Amsterdam Office and Identinetics GmbH, with the aim of supporting the EWTI and event and to co-locate relevant events . An evaluation will follow to decide on how to continue in the future.

Technology Exchange I2 – There will be a main REFEDS event on Sunday before the Technology Exchange meeting starts. Furthermore LF has submitted a request for a WG session to discuss about Sirtfi and assurance. AS has also submit a request for a session to discuss about community requirements as input for the current AARC project as well as consultation for the preparation of the next one.

6. TTC Members updates 

A round table of the TTC members followed.

Vicente Goyanes – It would be helpful if GÉANT could gather and share more information on NRENs international activities and if this information could be shared among universities. As we move towards services a closer interaction among campuses and with campuses and NRENs is needed.

Having the knowledge that the same service is available other countries can trigger discussion on how to access them and how to harmonise them.

JD showed the service matrix (https://compendium.terena.org/reports/nrens_services) , developed as part of the Compendium. This was extremely well received by the TTC. Thanks for Christian Gijtenbeek (developed it) and Jessica Willis for this result.

Recommendation: The TTC recommends promoting service matrix widely and to make it easily accessible via the GÉANT website.

Recommendation: The TTC recommends GÉANT management to expose any other relevant results coming from GÉANT activities at GA level to ensure they are known (and hopefully supported) by the decision makers.

Davig Groep – DG noted the high expectation in AARC on what it can achieve. We should manage this expectation so that communities will not be disappointed.  DG noted that AARC should look at a mechanism to address some general questions coming from the user communities. As an example he referred to a question asked on the RFEDS lists from CERN, which triggered long and convoluted answers, whereas a simple question could have been provided.

Valter  Nordth– Supporting GÉANT in updating the terms of reference for the technical programme. Plans are to present a draft for the next GA in September. Some TTC members’ terms have expired; Valter proposed to prolong the expired mandate until the end of 2015.  No objections were raised.

Peter Schober– IDM Issues in the R&E community

As part of the more in depth area presentation each TTC member offers, PSc gave an overview of the authentication and authorisation practices in the R&E community.

PSc, as part of the more in depth area presentation each TTC member offers, gave an overview  of  the authentication and authorisation practices in the R&E community.

There is still a lot of phising  despite users being asked to use more and more  complex passwords. Mitigation for this are strong authentication, 2-factor authentication, multi-factor authentication, which in practice means a combination of independent authentication practices.

Ubikey and Google have championed 2-factor authentication, that basically uses established technologies and protocols that are integrated in the browser.

Most of the requirements for 2-factor authentication come from the users in the attempt to protect their passwords rather from the resources.

Despite what many believe, the second factor authentication is not really a way to increase the assurance that the credentials are used by the good people. To elevate the insurance other means are needed, i.e. verified process etc. which normally bring up the authentication costs.

A problem institutions still face is the request for password reset, which is still a time consuming operation. To date there is no fully automated way to do that as the new passwords have to propagated into the different databases.

PSc touched upon authorisation, which presupposes the user has been previously authenticated.

Identity management in the academic space is very complex as there are lots of different roles (and a combination of them at different levels) to handle. For some services authentication and authorisation overlap, but in general this is not a good practice. Commercial companies are expanding the authentication process with data mining, taking into account an ever growing list of contextual and environmental factors (OS, browser fingerprinting, IP addresses, geolocation, etc.)

Academic licenses can be complex so it is very difficult to translate them into operational procedures. An example of this is Clarin where the authorisation parameter chosen is to allow access to resources to "academics". They basically mapped a grant of rights limited to specific uses ("for educational, teaching or research purposes") into an authorisation process, not realising that there is no generally agreed upon concept (nor machine-consumable information in institutional IDM systems) for "academic". This approach is causing problems, as it's based on a fundamental misconception: No IDM process/authorisation attribute can ever give the license holder the assurance that the subject accessing the resource will be using it in accordance with the license terms.

PSc also touched upon provisioning, the process to make sure that data to be used in distributed environments are available in different places. One approach is to push the data to all applications for when they are needed ("just in case"); this model has issues with federated approaches as the number of applications might be huge, rapidly changing or unkown in advance.. The other approach is to provision the data when needed ("just in time"), which has issues with authorisation (e.g. authorising someone can only happen after they has been provisioned a local account for a person), resulting in awkward workflows. E.g. having to ask (and wait for) a group of people to log in to a system first (in order to get their accounts provisioned "just in time"), at which point those subjects do not have access to the resource, and then authorise them later (and ask the subjets to return after they have been properly authorised).

De-provisioning is normally not properly done, though there's some support in the protocols used; the general approach followed is to reset the password at the Identity Provider (and leave the data at SPs to rot).

The last part of the talk covered attributes and its usage. Typical problems in this area:

• • Agreeing on the syntax and semantics
  • The complexity of storing and processing Humans names from different cultures
  • Identifiers and their many properties
  • Who gets the attributes the IdP releases
  • Who decides based on what.

Currently the R&E community is using two main approaches or even a mix of them: a risk-based approach (REFEDS R&S) vs a full compliance one (GÉANT CoCo).

Lastly Peter touched upon eduGAIN and related services offered by GÉANT. Thanks to the work done by the community within the GÉANT project and within REFEDS, it is now much easier for an NREN to create a federation: there's a federation policy template, best practice documents, there is FaaS (video showcase) that offers a SAML entity registry, metadata aggregation, plus secure signing with a HSM (which makes support for local installation impossible), information on entity categories, discovery documentation and so on. 

PSc’ s presentation covered many interesting aspects; some TTC members asked which areas NRENs are really focusing on. 

ACTION: Peter to review his slides and distill what is being worked on and what is not being worked on.

 7. Next Meetings

There will be two upcoming meetings:

-       September 30^th - a videoconference meeting to report on the revised technical programme

-       November 24^th – Face-to-face meeting

ACTION: DG to report on operational aspect of service provisioning across e-Infrastructures during the next f-2-f TTC.

8. Summary of the ACTIONS and RECCOMENDATIONS

The following reccomendations are noted:

1. Gyöngyi Horváth and the TNC team to consider a format for TNC where more side meetings are possible.

2. JD and GÉANT Management to promote the service matrix widely and to make it easily accessible via the GÉANT website.    

3. GÉANT management to expose any other relevant results coming from GÉANT activities at GA level to ensure they are known (and hopefully supported) by the decision makers.

    

1 RENATER, NIIF, NORDUNET/SUNET, PSNC