Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

13:45 CET

Arrival & "Can you hear me now?" (see Connection Details)
14:00 CET

Welcome, Introductions & Agenda Agreement

  • Open Actions.
  • Membership updates and information.
    • Status of Uganda/RIF vote
14:15 CET

Hanging Issues for Members and Participants

14:30 CETROBOT Attack (PDF) Shannon Roddy
14:45 CETRevision of the eduGAIN Policy Framework
  • SAML WebSSO Profile - Nicole Harris
  • Grace period for current eduGAIN members
  • What's left?
15:00 CET

Any other Business


Future SG Meetings

  • Conflict/Changes to 2018 meeting dates/times?
  • Next meeting @ APAN45 - Tuesday March 27th 13:30 Singapore Time

15:15 CET

Summary, Actions and Close (or we're running over time).

15:30 CET

Meeting Close

...

Attendance

Federations in Attendance (

...

22)

  1. COFRe
  2. RIF
  3. FÉR
  4. InCommon
  5. DFN
  6. SIR
  7. TAAT
  8. SAFIRE
  9. CAF
  10. RCTSaai
  11. eduID.cz
  12. SWITCHaai
  13. AAI@EduHR
  14. SWAMID
  15. eduID.lu
  16. IRANet
  17. SGAF
  18. AAF
  19. LEAF
  20. IIF
  21. Belnet Federation
  22. IDEM

Attendees (

...

29)

  1. Brook Schofield, GÉANT
  2. Casper Dreef, GÉANT
  3. Nicole Harris, GÉANT
  4. Alejando Lara, REUNA/COFRe
  5. Alex Mwotil, RENU/RIF
  6. Anass Chabli, RENATER/FÉR
  7. Ann West, InCommon
  8. Nick Roy, InCommon
  9. Shannon Roddy, InCommon
  10. Wolfgang Pempe, DFN
  11. José-Manuel Macías, RedIRIS/SIR
  12. Sten Aus, EENet / TAAT (Estonia)
  13. Guy Halse (SAFIRE/TENET)
  14. Chris Phillips, CANARIE/CAF
  15. Esmarelda Pires, RCTSaai
  16. Jiri Borik, eduID.cz
  17. Lukas Hämmerle, SWITCHaai
  18. Marina Adomeit, GN4-2
  19. Miroslav Milinovic, AAI@EduHR
  20. Pål Axelsson, SWAMID
  21. Stefan Winter, RESTENA/eduID.lu
  22. Saeed Khademi, IRANet
  23. Simon Green, SGAF
  24. Terry Smith, AAF
  25. Valentino Pocotilenco, LEAF
  26. Zivan Yoash, IUCC/IIF
  27. Pascal Panneels, Belnet Federation
  28. Barbara Monticini, IDEM
  29. Andi Malaj, Albania/RASH

Apologies (2)

  • Arnout Terpstra, SURFnet
  • Rhys Smith, UK Federation

Notes

Welcome, Introductions & Agenda Agreement

The Chair welcomed everyone to the 1st meeting of 2018. The agenda was adjusted to put the ROBOT attack presentation ahead of discussion on the Policy Framework.

Open Actions

One (1) open action was addressed.

ACTION 20170831-01: Chair to ask all “voting-only” members for the timeline for their participation and provide input to the next meeting.
   The voting only candidates were contacted with mixed responses on their progression toward eduGAIN participation. Turkey/YETKIM (no response), New Zealand/Tuakiri (don't see the benifits of fully participating at this time), Italy/GridIdP (desire to participate with a service that wants to extend to eduGAIN so there should be movement in the coming months).This action will remain open and be tabled for the next meeting with a broader scope based on "low participation" that should include meeting attendance, voting, assessment of peer federations and other suitable metrics.


Membership

Current status - New members and candidates: See https://technical.edugain.org/status and work on progressing new members is underway.

The hanging issues from members and participants was continued from the above open action.There are a range of issues on raising the bar for identity federations, some of which will be discussed later, and that a fuller discussion is needed.

The chair raised the phenomenon of 'twin Federations' with expressed of interest from 3 territories (China, Oman and Russia) that already have a federation (or application underway). It was reiterated that membership of eduGAIN is not for national identity federations but for those primarily engaged in Research and Education and that the existance of schools federation, multiple research networks, funding agencies and the like within our community could result in multiple federations from a single territory. There was no concern nor further discussion.

The use of the eduGAIN-Discuss mailing list for membership matters had none of the downsides raised at previous meetings and was regarded as a success and should continue.

ROBOT Attack

Shannon Roddy from Internet2/InCommon presented on their work on the applicability of the ROBOT Attack against the backchannel connection to Shibboleth instances. His presentation is available as a PDF.

From the presentation and discussion there were some clear themes, such as only paying attention to "brand name" vulnerabilities, the need for security contacts and incident response lines of communication setup prior to a problem, remediation of this (and other issues) and the role of eduGAIN support.

The #slack channels available for eduGAIN can be used for this and while more than 130 accounts exist on this platform it isn't universal. Federation email contacts should be approached to enquire about specific Security contacts.

Nick Roy raised the issue of this remidation only focusing on InCommon and while the total affected IdP population was small the remaining eduGAIN (and wider federation community) wasn't approached and federations should take specific measures to look at their own membership.

Lukas remarked that eduGAIN Support started contacting federations regarding other operational issues.This practice was welcomed and federation operators would me contacted or included in communication directed at specific endpoints.

Chris Phillips stated that responsible disclosure is Good™ and wheteher there were specific Guidelines from the Steering Group on this? A #slack channel for discussion on this topic was created initially with Shannon, Nick, Chris and Pål to report back at a future meeting.

Revision of the eduGAIN Policy Framework

Nicole stated that the SAML2 WebSSO profile work was still being drafted based on community input. The two remaining issues are:

  1. The ability of ADFS to adhere to the Metadata Interoperability Profile.
  2. The requirement for RegistrationInstant. The decision was to drop it as there were zero concrete reasons for its use.

Further investigation of point #1 is still required at this point in time. An update will be available at the next SG meeting.

Any Other Business

There was a request for OIDC Federation work to be presented at a future SG meeting, espcially since the last revision of the Policy Framework was to make it protocol agnostic. The Chair reminded everyone that supporting Moonshot Technology was the original driver for this but work on federated OIDC has overtaken that work. Chris noted that as a community we risk falling behind the curve if we aren't aware of the issues and progress in this space. Suggestions for presenters was made and it will be tabled in the next SG meeting to support a discussion of a roadmap for OIDC inclusion.

Future meetings

No issues with the future meeting schedule was raised.Future meetings: