2019-11-25 Baseline Expectation Meeting

Date

25 Nov 2019 at 15:00 CEST

Attendees

1. Brook Schofield
2. Casper Dreef
3. Rhys Smith
4. Mario Reale
5. Pål Axelsson
6. Anass CHABLI
7. Ivan Kanakarakis
8. Tom Barton
9.  Alex Stuart ← current job at Jisc (Alex Stuart is the old job)
   
10. Wolfgang Pempe
11. Miroslav Milinović
12. Brett T Bieber
13. Jon Agland
14. Alan Buxey
15. Chrisopher Whalen
16. Mark Williams

Apologies

• Nicole Harris

• Chris Phillips

Goals

To discuss initial proposals for Baseline Expectations as laid out at Baseline Expectations Working Group.

Discussion items

General Discussion

1.  Baseline Expectations of Federation Operators.  eduGAIN Policy already covers all(?) of these issues.  Do we need to include this in a baseline proposal or should this be left to the existing eduGAIN policy?
   Particularly Profile v2. Will be relaunched on 9 December. Should this profile be included in this Baseline? How do we convey Baseline Expectations to users?
   Should eduGAIN be the aggregate of federation rules? Yes, it's the baseline of all interfederation. The eG Baseline level is defined and ok-ed by the Steering Group.
   
   1. eduGAIN doesn't have a specific role in the baseline space other than supporting federations.
   2. Pål contents that it is a different scale but Tom commented that it is only in support of federation operators.
   3. Compliance with the profile_v2 requirements isn't necessarily improving the metadata feed (hide-from-discovery doesn't give you a get out of gaol free card - Alan referenced that this makes sense now - but it wasn't included in the discussions when the profile was created).
   4. Many of the instances in federations that aren't well described with mdui: or logos are test/UAT instances of services.
   5. From Jon Agland UKf stats for mdui 36.2% of SPs and 36.5% of IdPs
(but not necessarily logo!) and UK federation won't export these services to eduGAIN (while InCommon will kick these services out of its federation, and thus the eduGAIN export).
2. Baseline Expectations of Service Providers. What is missing?  R&S? CoCo here or not?
   
   1. R&S - is this a MUST or SHOULD?
   2. Pål contents that R&S should be a "Best Practice" rather than a baseline as the result of which would make eduGAIN an R&S only interfederation environment.
   3. CoCo?
3. Baseline Expectations of Identity Providers.  What is missing? MFA / SFA?
   1. MFA/SFA should be a "Best Practice" and agreement on moving from username/password only authentication is almost universal - but practical implementation is expected to take some time to complete.
   2. Rhys said that "Baseline" should be focused toward interoperability and not design decisions of an IdP installation or SP requirement.
   3. Tom clarified that there is often confusion between "strong authentication" vs "signalling for MFA/SFA".
   4. Alan referenced that the need for MFA/SFA signalling in metadata is needed for discovery services so that services can exclude IdPs from the discovery interface - rather than cause a failure at run time.
   5. Developing the specification and allowing the tooling to catch up was an issue with SIRTIF adoption initially.
   6. Authentication Performed vs Identity Vetting Assurance are different and a specification on how to support this (one or other or both combined).
4. How to fit this with existing federation policy?
   1. There is a place for SIRTFI as this relates to incident response.
   2. There is a place for mdui: as this relates to discovery.
   3. Federation policy could/should include MFA/SFA and be eduGAIN "best practice"
5. Versioning vs Evolution of Baseline. (MUST vs SHOULD discussion)
   
   1. Tom Barton commented on how we approach this work over time. This is a process where the institutional knowledge comes and goes.
   2. Should profile_v3 be more restrictive again? Pål commented that we always need to make options obsolete.
   3. Miro is a supporter of the versioning of future profiles. A roadmap showing progression over time would be useful in this regard.
6. ACAMP session? Pål, Tom, Rhys, Alan, Mark will be at TechEx/ACAMP on 11th & 12th December.

Problems with moving forward

Ensuring that the focus is on interoperability between federations and doesn't drift into areas of best practice that should be the focus of federations.

Next steps

• Alan Buxeyto report back on the ACAMP topics relating to baseline at the next meeting.
   

Action items