Organisational (Pal and Mario)
Daniela is leaving, Pal and Mario are taking over. Pal: Policy, Mario: Development
VC schedule is needed, also what contribution is
Might update the content of the (sub)task --> reconfigure task
Talk with Pal, and Mario, trying to start in January
Action: All to let Pal and Mario know their main interests - is possible to change focus from previously assigned.
In details
Pal: Policy
Main milestone due - GDRP white paper late, as law gets official late.
On SIRTFI, policy work is at REFEDS, contribute there. On workflows for coordination, work together with T2 Lukas, especially with Thomas (T1 policy/security and T2 performance)
Mario: Technical
Knows IdP as a Service, as subtask leader, but needs input on statistics and sirtfi technical aspects.
eduGAIN Policy (Nicole+Pal)
Update eduGAIN Policy Set (Nicole)
Using OpenID Connect -> adapt policies and eduGAIN constitution
Got comments on new version of the constitution. Consultation ends on Friday -> cleaning -> vote (2/3)
Clean up SAML Technology Profile (one document instead of 4)
-> want to do: eduGAIN SAML Requirements --> eduGAIN SG meeting
BCP including Sirtfi
SAML2int Profile: track update from Kantara
New: eduGAIN Operational Practice Statement and eduGAIN Metadata Aggregation Practice Statement
Review text of GDRP (Pal)
Problem of V1: consent was different in countries
New in V2: penalties
Federation operators need to review new GDRP
eduGAIN needs to review it as well, some federations cannot review it themselves -> GÉANT can offer help
CoCo V2: workshop was proposed, open workspace greater than GÉANT
International CoCo: on hold, first CoCo V2
Sirtfi (Pal and Lukas)
AARC and REFEDS: Deliverables
Sirtfi:AARC making requirements for how how to react on incidents, REFEDS will review and adapt at federation level. eduGAIN needs to consider the inter federation level.
Use case Orcid
first or second major incident discussed
one or two IdPs were publishing dublicated ids
-> demonstrated people's attention on what works what didn't, scope for coordinating efforts
In eduGAIN
Incident response: T1 Sirtfi + T2 Performance
eduGAIN should be active? different views on that
problems:
- poor information and overreaction
- timezone
- closed space with federation operators + orcid missing, information mismatch,
- TLP
- timely? response time
- not all entities might be in Sirtfi, what with the others?
- CERTS not always at federation (or none at all) - but other bodies can respond within the process.
- eduGAIN as service -> AH update - not the preferred mechanism. Better to aggregate and fund centrally. Some consideration that a charged service may be possible for things which exceed basic SIRTFI reqs.
Should be careful how we do it, eduGAIN does not check metadata, contact information etc. currently. This will need to change.
What should eduGAIN demand from federations and vice versa? Work with REFEDS to coordinate federation and central level response.
If we load too much onto that central function it will increase the central operational costs and the business case of this has to be considered from a cost / benefit perspective. As SIRTFI benefits campuses and SPs, it is considered this case can be made. Similar with performance.
AH/MA note - budget to extend the eduGAIN OT to support communication is ring fenced already.
Monitoring and Statistics (Miro)
f-ticks (format of the log) in REFEDS line of I-D at IETF --> comments!
probably especially for IdPs
Pal: problems with f-ticks when Shib V3 came, 2 different versions with data sets of f-ticks into syslog server
practice needed -> fed ops!
centralized f-ticks service
Federations want own statistics - how?
Attribute Release & other eduGAIN tools (Lukas)
Tools: eduGAIN CoCo Monitor Service, Access Check Service, Connectivity Check Service, Attribute Release Check Service, ?? Service
How to deploy tools?
- well documented? repository?
In eduGAIN DNS domain and certificates -> official channels – but what is suitable? Decided by PLM.
Then operations team looks at it and decides if further checks/iprovements (e.g. security) is needed
What next?
- Sirtfi tests of timely response of provided contacts - similar for eduroam. Is in use for Trusted Introducer and can be applied.
- V4/v6 support
- log https (noClientAuthN) check
- IdP Name collision dector,
- https checks?
- certificate expire warning
- SSLLabs grade
Not all of these have equal priority - this needs to be determined.
Focus on those which are in eduGAIN BCP and support finding and fixing issues and maintaining current information.
Questions to consider - what happens when federations who are repeatedly informed of issues within their federation and do not demonstrate engagement.