Attendees
- Jule Ziegler
- Marcus Hardt
- Björn Mattson
- Pål Axelsson
- Alan Buxey
- Jiri Pavlik
- Scott Cantor
- Nicole Harris
- Miro Milinovic
- Christos Kanellopoulus
- Maarten Kremers
- Heather Flanagan
- Nicolas Liampotis
V/C info
Topic: R&S 2.0 WG call
Time: Mar 16, 2021 08:00 AM Pacific Time (US and Canada), 15:00 UTC
Join Zoom Meeting
https://us02web.zoom.us/j/89500084874?pwd=SnFqS0hRam1OYlExdGtlaWxsdUFPQT09
Meeting ID: 895 0008 4874
Passcode: 065112
One tap mobile
+12532158782,,89500084874#,,,,*065112# US (Tacoma)
+13462487799,,89500084874#,,,,*065112# US (Houston)
Dial by your location
+1 253 215 8782 US (Tacoma)
+1 346 248 7799 US (Houston)
+1 669 900 6833 US (San Jose)
+1 312 626 6799 US (Chicago)
+1 929 205 6099 US (New York)
+1 301 715 8592 US (Washington DC)
Meeting ID: 895 0008 4874
Passcode: 065112
Find your local number: https://us02web.zoom.us/u/kdKIetru1
Join by Skype for Business
https://us02web.zoom.us/skype/89500084874
Calendar invitation HERE
Working Draft
Agenda
- Recap of consensus so far
- The FAQ will be revised to offer clarity on the term "affiliation" (see Research and Scholarship FAQ) and editorial changes made to the spec to make it more clear (see new draft spec for updated structure)
- eduPersonScopedAffiliation will become a required value
- R&S will require privacy statements
- Encouraging the use of eduPersonAssurance requires further discussion with the Assurance Working group
- subject-id should be listed as the new identifier
- R&S 1.3 and R&S 2.0 can co-exist; no migration detail will be included in the spec itself.
- ePPN and targeted ID to both be removed from R&S 2.0
- Information on OIDC requirements will be moved to R&S 2.1 (after the OIDF OIDCre working group has formal documentation in this space)
eduPersonAssurance and RAF (Jule Ziegler)
- Relevant notes from 17 December call:
- Should R&S encourage the release of eduPersonAssurance as a "SHOULD" value, in support of REFEDS Assurance Framework?
- Value of "no assurance" would have to be include
- 31% Yes; 6% No; 38% Optional is bogus; require it or leave it out; 25% Need more info
- Perhaps go back to this Assurance with how to indicate no value; it can't be required if it doesn't exist
- For the "No" vote, because it will massively reduce the number of IdPs that can/will release R&S as defined in 2.0
- General input is that this would be nice to have, but not MUST have to make decisions on their side; note that the NIH and other SPs are starting to require this information
- Assurance does imply liability, which may also complicate matters
- Relevant notes from 17 December call:
Home Organization use case (Andrew Morgan and Christos Kanellopoulos )
- This item may be moved to the next call
- Proposal to require DisplayName (Petersen )
- This item may be moved to the next call
Notes
- Recap of consensus so far
- The FAQ will be revised to offer clarity on the term "affiliation" (see Research and Scholarship FAQ) and editorial changes made to the spec to make it more clear (see new draft spec for updated structure)
- eduPersonScopedAffiliation will become a required value
- R&S will require privacy statements
- Encouraging the use of eduPersonAssurance requires further discussion with the Assurance Working group
- subject-id should be listed as the new identifier
- R&S 1.3 and R&S 2.0 can co-exist; no migration detail will be included in the spec itself.
- ePPN and targeted ID to both be removed from R&S 2.0
- Information on OIDC requirements will be moved to R&S 2.1 (after the OIDF OIDCre working group has formal documentation in this space)
eduPersonAssurance and RAF (Jule Ziegler)
- Relevant notes from 17 December call:
- Should R&S encourage the release of eduPersonAssurance as a "SHOULD" value, in support of REFEDS Assurance Framework?
- Value of "no assurance" would have to be include
- 31% Yes; 6% No; 38% Optional is bogus; require it or leave it out; 25% Need more info
- Perhaps go back to this Assurance with how to indicate no value; it can't be required if it doesn't exist
- For the "No" vote, because it will massively reduce the number of IdPs that can/will release R&S as defined in 2.0
- General input is that this would be nice to have, but not MUST have to make decisions on their side; note that the NIH and other SPs are starting to require this information
- Assurance does imply liability, which may also complicate matters
- What would need to happen for institutions that do not (yet) support eduPersonAssurance or the RAF? There are values defined in the REFEDS doc that are appropriate for campuses not able to do assurance (e.g., reassignment policies, local-enterprise). Could say if you use one of these values, you must include it. If you don't, then that will be its own signal.
- Are we talking about eduPersonAssurance, or are we talking about supporting everything in RAF? R&S 2.0 can leave this open-ended and let the decision about what's required in it to be up to the SP. The RAF indicates there are values that can be used, but it doesn't require any particular practices.
- Is Assurance orthogonal to Research and Scholarship? If IdPs are free not to say anything, how does it actually support use cases in R&S? Are we using this attribute as a vehicle to solve a variety of problems because we have no better or more appropriate way to do it? Perhaps say that Assurance should be a required attribute in eduGAIN's baseline and not a requirement for R&S.
- We need more clarity on what the expected behavior is if this value is empty.
- Getting back to the entire purpose of an entity category - a good entity category should have one purpose, not several. R&S is about releasing attributes, not about improving security profiles. If we include assurance, it's introducing a second signal. We'd need to include more details that brings this all together.
- Should eduPersonAssurance be required by R&S 2.0?
- yes, required with no restrictions: 33% (4); yes, required with RAF value: 25% (3); not required by R&S: 25% (3); required by eduGAIN: 8% (1); need more info: 8% (1)
- if we exclude values outside of RAF, then that's it's own problem as well
- Is the right question to ask: is this valuable to research and scholarship? If we do add it, then we need to change the definition of R&S. R&S is defined as an attribute release profile; if we introduce security requirements, then the definition of R&S changes.
- Next steps
- Scott Cantorwill add suggested text to the draft spec so we can consider specific language around adding eduPersonAssurance
- Relevant notes from 17 December call:
Home Organization use case (Andrew Morgan and Christos Kanellopoulos )
- This item may be moved to the next call
- Proposal to require DisplayName (Petersen )
- This item may be moved to the next call