12 Sep 2016 at 14-15 (UTC), 16-17 (CEST), 9-10 (CDT)
Pål A
David L
Hannah S
Jim B
Tom B
Paul C
Chris
Mikael L, notes
Notes
- Walked through sections on authentication, attribute freshness and technical and organizational security: https://docs.google.com/document/d/15v65wJvRwTSQKViep_gGuEvxLl3UJbaOX5o9eLtsyBI/edit
- good password practices?
- entropy requirements for passwords getting more demanding every year. Instead of fixing it in the spec we should refer to an body that specifies what is currently good enough
- what would be the body to define the current entropy requirements? REFEDS? We can propose that.
- approach to Authentication section
- good enough for organisational’s internal systems
- we need to define what they are
- e.g. Administrational systems dealing with money (), personal data (HR), student information
- kantara AL2: password authentication with entropy requirements
- multifactor authentication
- good enough for organisational’s internal systems
- freshness of ePAffiliation
- clarify that freshness here means the latency of the idm system to reflect the affiliation change in the institutional systems
- think of complementing qualitative requirements (e.g. is a person qualifies as a ePA=faculty there must be an employment contract or other contract in place)
- data protection
- how to make sure Home Organisations are willing to release eduPersonAffiliation attribute (or similar)
- proper references
- In the LoA wireframe, refer to proper versions of the underlying specifications
- next meeting: every 2 weeks at this time, starting on Oct 3?
- after the meeting it was proposed to start 30 mins earlier