Date

at 15:00 CEST

Attendees

  1. Nicole Harris

  2. Christopher Walen

  3. Wolfgang Pempe

  4. Harry Williams

  5. Thijs Kinkhorst

  6. Alan Buxey

  7. Albert Wu

  8. Alex Stuart

  9. Anass Chabli

  10. Casper Dreef

  11. Chris Phillips

  12. Davide Vaghetti

  13. Hellen Nakawung

  14. Jan Oppolzer

  15. Jani Heikkinen

  16. Jean Carlo Faustino

  17. Jessica Coltrin

  18. Jon Agland

  19. Judith Bush

  20. Jule Ziegler

  21. Julie Menzies

  22. Keith Wessel

  23. Kevin Morooney

  24. Koren, Menhna (ELS-AMS)

  25. Mark Wiliams

  26. Miroslav Milinovic

  27. Pål Axelsson

  28. Raja Visvanathan

  29. Rhys Smith

  30. Sami Silen

  31. Stefan (Jisc)

  32. Terry Smith

  33. Tom Barton

  34. Zbyszek (PSNC)

  35. Brook Schofield

  36. Tomasz Wolniewicz

  37. Uros Stevanovic

  38. Klaas Wierenga

  39. John Paraskevopoulos

  40. Mario Reale

  41. Stephen Lovell

Goals

To discuss initial proposals for Baseline Expectations as laid out at Baseline Expectations Working Group.

Discussion items

Nicole welcomed everyone to the meeting and invited federations present to give an update on their current thinking regarding any sort of approach to changing the baseline expectations within their services. 

CountryPosition
UKlooking at following in the footsteps laid out by the InCommon baseline expectations.  It is about maturity.  Will look similar but haven’t worked out the details.  What should eduGAIN do?  Want to align with as much as possible.
Germanylooking at AAI+ concept.  Attribute release is a big area.  Looking at LOA / RAF.  Looking at Sirtfi and security.  Quality of federation operations.  Would this be a new level on top of the current basic and advanced?  This is different – those are seen more as levels of assurance. we connected the output of the eduGAIN validator to our nagios. ECCS-results are part of this
ah, and we're monitoring the IdP status locations (95% Shib IdPs in DFN-AAI).  https://doku.tid.dfn.de/de:aai:attributes_best_practice
Croatia

started an audit of IdPs and SPs. Looking at assurance.  Have an existing baseline but would like to know.  Important for Croatia: contacts need to be alive: this would suggest some sort of reaction test. This is definitely more of an annual audit approach rather than a set of rules. 

Brazilhttps://docs.google.com/spreadsheets/d/1L5oI4dWE2Gk4XAgGDkvEOTgBCdhJHDKOczyqe0MXZEE/edit#gid=0
AustraliaIdPs and SP selectively opt-in to eduGAIN but when they do they have to do R&S and Sirtfi.   Boost: SP quality.  300+ services so will be a long long process. 
ItalyECCS APIs used by GARR to improve operational.  Follow up by opening a ticket automatically.  Have changed the participating rules.  Have pulled in incident response directly – do a short interview with self assessment.
USjust 4 organisations that have not yet met the baseline.  Contact information has been the most difficult aspect.    Want to do more!  Requiring Sirtfi, MDUI information.  Require encrypted transport for SPs.  IdPs: R&S and MFA still being discussed.
Canadause the UK rule sets.  Supports Sirtfi.  Uptick in R&S adoption.  Technical interoperability matters: ADFS vs Shib etc

please feel free to add notes for your country / federation even if you were not at the meeting / didn't get a chance to speak at the meeting.


General Discussion

Tom: liked the work done by AAF.  Process is more important than the rules.   Pyramid diagram (which is in the slides on the wiki).

Start defining what we are trying to do with sentences.  We want the user experience to be perfect. 

Chris:  do we need to start filtering out the whole edugain feed in a different way?  Can we change the way we treat the edugain feed as a whole (i.e. not rejecting the whole feed). Break fix, functions good, functions best.

Most utility for eduGAIN for the most people. 

Tomasz:  already have stratification through entity categories so we have these groupings.  eduGAIN will be proposing new ways of showing information that are currently challenging.  Looking at being more nuanced with the warnings shown.  https://technical.edugain.org/profile_v2

Problems with moving forward

What’s in it for me for IdPs?  Not enough reason. 

Metadata handling tools are not as easy to use as they should be. 

Need to explain to people that there is an interoperability problem.  So not pissing off your users is a good thing. 

Are we ever going to make every identity provider in the world understand why? If eduGAIN raises the bar, it’s actually easier for federations to have a “reason” to explain.

What are we creating?  A baseline for entities being published into interfederation for international collaboration. 

Next steps

There is enthusiasm for moving the group forward and a mailing list should be created.  It may be beneficial to work on statements of what we are trying to achieve...perhaps around the Authority, Security, Compliance and Trust (plus User Experience?) areas that were identified at Baseline Expectations Working Group?  The InCommon "pyramid" could be useful here.

People generally like the baseline ideas created by InCommon so start there. Note that eduGAIN already has rules on all of the baseline expectations for Federation Operators so perhaps this is covered? Do we just want to focus on baseline for entities in interfederation?

Need to think about how things are being measured and by whom.

Action items