Attendees

• Heather Flanagan
• Andrew Morgan
• Christos Kanellopoulos
• Jens Jensen - STFC UKRI
• Alan Buxey
• Scott Cantor
• Nicole Harris
• Alex Stuart
• Adam Snook

V/C info

Topic: R&S 2.0 WG call
Time: Jul 23, 2021 08:00 AM Pacific Time (US and Canada), 15:00 UTC

Join Zoom Meeting
https://us02web.zoom.us/j/87577374817?pwd=M1NGcDlIMjgvYnhMa2VCR2VWUnNkUT09

Meeting ID: 875 7737 4817
Passcode: 412977
One tap mobile
+12532158782,,87577374817#,,,,*412977# US (Tacoma)
+16699006833,,87577374817#,,,,*412977# US (San Jose)

Dial by your location
+1 253 215 8782 US (Tacoma)
+1 669 900 6833 US (San Jose)
+1 346 248 7799 US (Houston)
+1 929 205 6099 US (New York)
+1 301 715 8592 US (Washington DC)
+1 312 626 6799 US (Chicago)
Meeting ID: 875 7737 4817
Passcode: 412977
Find your local number: https://us02web.zoom.us/u/kgkTj73Fp

Join by Skype for Business
https://us02web.zoom.us/skype/87577374817

Pre-Reading

• Anonymous Authorization
• Pseudonymous Authorization
• comparison of attribute release information between each entity category

Working Draft

• Draft spec for R&S 2.0
• Personalized Authorization spec starter

Agenda

1. Recap of consensus so far - note that all changes will need to be validated via the consultation process
   
   1. The FAQ will be revised to offer clarity on the term "affiliation" (see Research and Scholarship FAQ) and editorial changes made to the spec to make it more clear (see new draft spec for updated structure)
   2. eduPersonScopedAffiliation will become a required value
   3. R&S will require privacy statements
   4. subject-id should be listed as the new identifier
   5. R&S 1.3 and R&S 2.0 can co-exist; no migration detail will be included in the spec itself.
   6. ePPN and targeted ID to both be removed from R&S 2.0
   7. Information on OIDC requirements will be moved to R&S 2.1 (after the OIDF OIDCre working group has formal documentation in this space)
   8. eduPersonAssurance will be required, RAF recommended
   9. We'll resolve the need for information on the origin organization by adding guidance for the use for eduPersonScopedAffiliation
   10. DisplayName and Given/SN are required
2. Recap of consensus specific to the Personalized Authentication Authorization spec
   1. if schacHomeOrg is present, then it's the value to be used; if not present, eduPersonScopedAffiliation should be used.
   2. We will adopt the following from R&S 1.3: "Service Providers SHOULD limit their data requirements to the bundle of attributes defined in Section 5, but MAY negotiate for additional data as required via mechanisms that are outside the scope of this specification."
   3. The entity categories categories (Anonymous Authorization, Pseudonymous, and Personalized) are mutually exclusive
3. Reviewing the draft spec
1. Normalizing organizational attributes between R&S, Anonymous, Pseudonymous Entity Categories
   
   1. From the 1 July 2021 call: Only Personalized requires a third-party review (similar to as R&S is today). The other entity categories can remain self-asserted since the risk is minimal.
   2. From the 1 July 2021 call: The specs need to be consistent as they talk about how the attributes like affiliation and entitlement should be used.
   3. From the 1 July 2021 call: The language around user identifiers for Pseudonymous and Personalized needs to be made consistent; those are the correct attributes, but the description needs to be made more clear.
2. Clarifying entitlement
   
   1. From the 1 July 2021 call: It's not clear enough to say that this is the minimal bundle, but you might be able to get more.
   2. From the 1 July 2021 call: The general principle is that if you want to have a frictionless interoperable experience and to meet minimization standards, don't do anything outside this bundle. But if your business needs require more, that's up to you and your responsibility.
   3. From the 1 July 2021 call: If we're encouraging entitlement and not affiliation, then we should make sure that entitlement is in there.
   4. From the 1 July 2021 call: The authorization story should be more consistent. We should also be consistent with what we say affiliation is for.

4. Discussion of subject-id as source for origin organization (if not resolved on the list)

   1. postponing pending coverage of Personalized Authorization and the other entity categories

Notes

1. Recap of consensus specific to the Personalized Authorization spec - no dissension in the ranks on these
   
   1. if schacHomeOrg is present, then it's the value to be used; if not present, eduPersonScopedAffiliation should be used.
   2. We will adopt the following from R&S 1.3: "Service Providers SHOULD limit their data requirements to the bundle of attributes defined in Section 5, but MAY negotiate for additional data as required via mechanisms that are outside the scope of this specification."
   3. The entity categories (Anonymous Authorization, Pseudonymous, and Personalized) are mutually exclusive
2. Review of draft spec
   1. Updated Sections 1 through 4, clarified text in section 7, and agreed to a single attribute for organization (schacHomeOrg)
   2. Next call to pick up on the question of subject-ID vs pairwiseID

Definition Statement for R&S

Problem statement: the current definition of who can be tagged with R&S ("Candidates for the Research and Scholarship (R&S) Category are Service Providers that are operated for the purpose of supporting research and scholarship interaction, collaboration or management, at least in part.") is being interpreted differently by different groups.  Requirements that are not specifically in the specification are being applied by federations, creating an uneven use of the specification.

...