REFEDS Assurance wg call
Monday 22 January 2018 at 15:30 CET/8:30 CST
CERN’s Vidyo portal:

Michael and Jule



  • Memorized Secrets minimum requirements specification
    • describe better that the controls are to mitigate the risks
    • “highly recommended” is difficult text in a normative document.
    • explain “mitigation” and “fully mitigation”
    • can key derivation function be dropped as a requirement?
    • emphasise that the minimum requirements are not a best practice. They are just the minimum. The same applies to recipes
  • recipes
    • recipes are sufficient but not necessary for compliance. They are normative statements that you implement and you know you are compliant with the minimum requirements, but there can be also other compliant ways
    • the known password risk could be addressed e.g. by pwdCheckModule
    • It would be useful to collect the mitigation approaches that people have come with. Provide a place in REFEDS wiki? That will require some moderation work, too? Could REFEDS assurance list help?
    • “very strong rate limiting” – what is very strong?
  • RAF pilot
    • volunteer IdPs: Chicago university, Aalto university, CSC staff IdP
    • volunteer SPs: ELIXIR research infrastructure, BBMRI research infrastructure, EGI Check-in
    • Mikael will make a doodle poll for the pilot vc
    • goal to finish and deliver results at REFEDS meeting in June
  • next call
    • before the next meeting, clean the SFA document family for internal review
    • Mikael to make doodle poll for next call


  • No labels