Monday 17th Oct 2016 at 13:30-14:30 (UTC), 15:30-16:30 (CEST), 8:30-9:30 (CDT).

Pål
David L
David G
Tom
Mikael

Notes

- Wireframe https://docs.google.com/document/d/15v65wJvRwTSQKViep_gGuEvxLl3UJbaOX5o9eLtsyBI/edit

- main updates after last call 3 Oct 2016:

  • added Terms and Definitions
  • added requirements on credential delivery to section 2

- Open issues/things discussed in the vc

  •  a new value to attribute quality: an IdP is authoritative for the e(P)SA values?
    • Currently guest IdPs are indistinguishable from the Home Organisation operated IdPs.
    • Will the scope in the ePSA give the same result: a decent SP should filter out an ePSA value that does not match the IdP scope in metadata. A normal guest IdP should not have Home Organisations’ scopes in their metadata
    • Add a new value "eP(S)A is self-asserted"? But any statements should be positive not negative (i.e. should be “eP(S)A is not self-asserted”)
    • Decided to park the question to see what the homeless IdP working group (https://wiki.refeds.org/display/GROUPS/IoLR) will deliver
  • Will we add also credential renewal/reissue? How far we want to go taking into account we want to stick to simplicity?
    • Added credential renewal/re-issue to the wireframe document
  • How to refer to REFEDS MFA profile in section 3? It’s definition is not so specific as Kantara and eIDAS.
    • Let’s use the REFEDS MFA to signal that multi-factor authentication has been carried out
    • Let’s also refer to REFEDS MFA for what qualifies to MFA
    • Keep also the references to Kantara and eIDAS to make it explicit they qualify, too
  • Attribute quality: do we want to limit to a subset of eP(S)A values?
    • Yes, integrate to the section “if you convey faculty, staff, employee, member, student it should be fresh.“
  • Do we want to be more specific on what ePA=faculty is supposed to mean? e.g. person has an employment contract or some other contract with the Home Organisation and in that context can speak for the Home Organisation in matters related to his role?
    • Let’s drop it, that kind of clarifications should be done in the eduPerson spec, not in the assurance profile
  • What is our approach to draft NIST 800-63-3 (IAL/AAL/FAL)
    • The developments in NIST 800-63 are going to a good direction. However, let’s still wait until 800-63-3 is approved and has shown some track record.

 

- next vc: 31 October (Daylight saving over in Europe): 13:30-14:30 (UTC), 14:30-15:30 (CET), 8:30-9:30 (CDT)

 

  • No labels