Date: Thu, 28 Mar 2024 08:25:16 +0000 (UTC)
Message-ID: <857589901.23.1711614316593@wiki-prod.refeds.org>
Subject: Exported From Confluence
MIME-Version: 1.0
Content-Type: multipart/related;
boundary="----=_Part_22_16887081.1711614316590"
------=_Part_22_16887081.1711614316590
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Content-Location: file:///C:/exported.html
REFEDS assurance working group call
Monday 25 Sep at 15:30-17:00 CEST/8:30-10:00 CDT
CERN=E2=80=99s Vidyo portal: https://www.nikhef.nl/gri=
d/video/?m=3Drawg
Michal S and Juli Z
Nicolas L
Chris W
P=C3=A5l A
Tom B
Dave L
Mikael L
Notes
- link to the Assurance Framework consultation comments: https://docs.google.com/doc=
ument/d/1_30AeM1zUySTcRmfva66y2WVfKDkroEzPQg1k-vDpMY/edit
- status of Good-entropy single-factor profile (Michael, Jule)
- draft: https://docs.google.com/document/d/1HOcM2o4N7Ly9elRd5OQH2dCmf=
jY83WBv7ZCPgFysNmE/edit?usp=3Dsharing
- Michael has analysed NIST 800-63B section 5: all SHALL requirements are=
OK and necessary
- no reference implementation profile to satisfy the SFA profile de=
veloped yet
- alternatively, there is now an alternative proposal 2: =E2=80=9Cdo what=
you think is appropriate and document it=E2=80=9D (or use 63b)
- to avoid further references to other federal standards, the profile now=
describes the approved encryption methods explicitly
- P=C3=A5l: Make sure Windows AD can satisfy the profile
- Tom: SFA needs to be widely applicable to be adopted. What is good enou=
gh for Home Organisations should should be good enough for RPs.
- It is difficult to demonstrate that there is no alternative less secure=
way to bypass the authentication
- Can we roll out a process that HOs would use to demonstrate SFA complia=
nce? The process needed to be managed by federation operators
- What would be state of the art? It would change over time.
- At least the ordering of the bullets in the list needs to be changed so=
that 63b is the first. The first item in the list is an important hint of =
expected level
- Are the three proposed alternative bullets now balanced?
- How much does the profile span to the policy side of thigs. For instanc=
e, is the way password reset is done in or out of the SFA scope?
- it would be good to make an exercise to configure LDAP+Shibboleth IdP t=
o qualify to the alternative 2
- Make the local security culture part of the profile? =E2=80=9CSecure en=
ough=E2=80=9D may mean different things in different countries
- In the RAF the baseline expectations for IdPs covers already =E2=80=9Cg=
ood enough for local use=E2=80=9D, would that be enough? That appears to be=
too weak approach and wouldn=E2=80=99t meet the expectations of the SFA
- As the conclusion, it was decided to revert back to Proposal 1 which us=
es 800-63b section 5 as the definition of SFA, supplemented by good practic=
es for deploying compliant LDAP/AD authentication backends.
- discussion on the relation of RAF and Authentication profiles
- 3 alternatives described in: https://lists.refeds.org/sympa/arc/assurance/2017-09/msg00008.html=
li>
- adopt approach 2 where the coffee drink in ePAssurance indicates the ca=
pability of a given user to be authenticated according to a given authentic=
ation profile (e.g. MFA) and Authentication context indicates the actual au=
thentication profile used.
- the reasoning for the choice is that certain IdP products cannot popula=
te ePAssurance attribute on-the-fly based on the authentication context
- comments from e-infrastructures
- EGI (28 Aug): =E2=80=9Clocal-enterprise=E2=80=9D vague/difficult for e-=
infrastructures (who have typically no =E2=80=9CHR/financial=E2=80=9D SPs).=
Decided to keep local-enterprise value in the ID proofing component but dr=
op it from the hierarchy of ID proofing
- address comments in the P category
- next steps
- send the resolutions to the people who provided the comments and to the=
REFEDS full list
- pilot: looking for volunteer IdPs and SPs (potential volunteers at leas=
t UChicago, EGI, EUDAT, ELIXIR)
- next meeting: 9 Oct at 15:30-17:00 CEST/8:30-10:00 CDT
------=_Part_22_16887081.1711614316590--