Attendees

• Heather Flanagan 
• Björn Mattsson 
• Pål Axelsson 
• David St Pierre Bantz 
• Alan Buxey 
• Jiří Pavlík
• Christos Kanellopoulos 
• Scott Cantor 
• Andrew Morgan 

Pre-reading

• Anonymous Authorization Draft
• Pseudonymous Authorization Draft
• Personalized Access Entity Category (zenodo copy)

WG Consensus

• The Anonymous Authorization, Pseudonymous Authorization, and Personalized Access Entity Categories shall be harmonized based on the decisions made around Personalized Access.
• Authorization guidance shall be split out into a separate, descriptive paper and not be part of any of the entity categories.

Agenda

• Verify WG Consensus items
• Review proposed changes to Anonymous and Pseudonymous ECs (Pål's action item from last call)
• Review initial draft for authorization (Scott C's action item from last call) - Federated Authorization Best Practices

Notes

• Verified WG Consensus items
  • The Anonymous Authorization, Pseudonymous Authorization, and Personalized Access Entity Categories shall be harmonized based on the decisions made around Personalized Access.
  • Authorization guidance shall be split out into a separate, descriptive paper and not be part of any of the entity categories.
  • (Added) The names should be "Access Entity Category" not "Authorization Entity Category" - 10 January 2022
  • (Added) We will not include assurance requirements to the Anonymous Access Entity Category - 10 January 2022
• Review proposed changes to Anonymous and Pseudonymous ECs (Pål's action item from last call) - 10 January 2022
  • Description of the markup from Pål: 

    Reading guidance from copying style from personalized:

    - Black text: Not changed at all.

    - Blue text: Copied and from personalized. Some non relevant text may be deleted.

    - Yellow overstrike: Changed text or proposed change.

    - Red overstrike: Proposed to deleted.

  • Should we include assurance info in all entity categories? Attribute assurance is different than identity assurance; attribute-level assurance isn't really a thing outside of personally identifiable details. That makes assurance not useful for anonymous directly, but it may be useful in terms of encouraging overarching best practices for using assurance across the board. Poll states that we should not include assurance in Anonymous.
  • Do we include the requirement for registration and demonstration of need in Anonymous? Realistically speaking, the federation operators cannot review every request. Also, should this kind of checking be part of joining a federation, and not part of the EC? That doesn't cover the fact that different SPs will have different levels, and that existing SPs may change what they need. This is a way to harmonize between federations as well as within a federation. Will leave the text in as it stands.
• Review initial draft for authorization (Scott C's action item from previous call) - Federated Authorization Best Practices
  • Does this document need to address all the authorization patterns, or just the ones involving eduPersonEntitlement?
  • Scott has a few more edits to make; after that's done, we will share this more broadly (to the R&S list) for feedback