eduGAIN Steering Group Meeting

23rd March 2021 12:00 UTC / 13:00 Amsterdam: In your time zone

11:45 UTC

Arrival & "Can you hear me now?" (see  Connection Details)


12:00 UTC

Welcome, Introductions & Agenda Agreement

Terry Smith, AAF, Chair
12:10 UTC

Membership Updates and Joining

  • KRENA/Kyrgystan
  • Bangladesh/TIGERfed
Casper Dreef, Secretariat
12:15 UTC

Team Updates

  • Operations Team
  • Support Team
  • F-Ticks
Davide Vaghetti, IDEM, Service owner
12:30 UTC

Team updates: Security team

  • Working Group updates
Security Team
13:00 UTC

Re-imaging eduGAIN

Nicole Harris, GÉANT

13:25 UTC

Future SG meetings, Any other business, Summary and Actions


13:30 UTC

Meeting Close


Connection Details

Attendance

Federations in Attendance (24)

  1. Australian Access Federation (AAF) - Australia
  2. SWAMID - Sweden
  3. UK federation - United Kingdom
  4. LEAF - Moldova
  5. PIONIER.id - Poland
  6. RiçercaNET Identity Federation - Malta
  7. RCTSaai - Portugal
  8. GRNET - Greece
  9. WAYF - Denmark & Iceland
  10. IDEM - Italy
  11. SWITCHaai - Switzerland
  12. eduId.hu - Hungary
  13. eduID.cz - Czech Republic
  14. HAKA - Finland
  15. AAI@EduHR - Croatia
  16. Sifulan - Malaysia
  17. Fédération Éducation-Recherche (FER) - France
  18. RIF - Uganda
  19. Canadian Access Federation (CAF) - Canada
  20. SIR - Spain
  21. CAFe - Brazil
  22. InCommon - United States
  23. TAAT - Estonia
  24. safeID - Slovakia

Attendees (35)

  1. Terry Smith (AAF)
  2. Pål Axelsson (SWAMID)
  3. Alex Stuart (UK federation)
  4. Valentin Pocotilenco (LEAF)
  5. Casper Dreef (GÉANT)
  6. Tomasz Wolniewicz (PIONIER.id)
  7. Daniel Muscat (RiçerkaNET Identity Federation)
  8. Esmeralda Pires (RCTSaai)
  9. Zenon Moumoulas (GRNET)
  10. Mads Freek Petersen (WAYF)
  11. Davide Vaghetti (IDEM)
  12. Thomas Bärecke (SWITCHaai)
  13. Attila Laszlo (eduId.hu)
  14. Jiri Borik (eduID.cz)
  15. Lukas Hämmerle (SWITCHaai)
  16. Maja Gorecka-Wolniewicz (PIONIER.id)
  17. Jani Heikkinen (HAKA)
  18. Mirolav Milinovic (AAI@EduHR)
  19. Nicole Harris (GÉANT)
  20. Irfan
  21. Anass Chabli (Fédération Éducation-Recherche)
  22. Derrick Ssemanda (RIF)
  23. Chris Pillips (Canadian Access Federation)
  24. Aristos Anastasiou (CyNet Identity Federation)
  25. José Manuel Macías (SIR)
  26. Jean Carlo Faustino (CAFe)
  27. Ann West (InCommon)
  28. Licia Florio (GÉANT)
  29. Halil Adem (GRNET)
  30. Sten Aus (TAAT)
  31. Hellen Nakawungu (RIF)
  32. Mario Reale (GÉANT)
  33. Martin Stanislav (safeID)
  34. Nicole Roy (InCommon)
  35. Marina Adomeit

Apologies (xx)

Notes

Welcome, Introductions & Agenda Agreement

Open actions

The eduGAIN Secretariat has created a proposal that will be made available for consultation.  Casper will share this with the eduGAIN SG mailing list and seek further information and consultation on the proposal. Action remains open.

eduGAIN Secretariat to write a proposal for a yearly audit process for eduGAIN federation details: https://docs.google.com/document/d/1G691ohEBW27GlnBN55iO7DdqxOpoqsz2xJArijmn9QQ/edit?usp=sharing

Membership Updates and Joining

KRENA/Kyrgystan update: 

The issues with the KRENA federation were resolved with help from the GÉANT Partner Relations team.  This shows the suspension process is working as intended. 

Bangladesh/TIGERfed update: 

We’ve had very little feedback from the community so do not feel that it is possible to move forward with voting at this stage.  All eduGAIN SG members are encouraged to review the documentation.  We’d appreciate feedback even if this is just a quick “documentation all looks good”.

We are expecting new applications from the following federations over the next few months:

Team Updates

Operation team:

The certificate for the production metadata feed for eduGAIN will need updating.  A recommendation has been received from the community not to change the url based on this change.  The OT is happy to accept this proposal.

A key signing ceremony including pushing private key information to an HSM will be undertaken by the OT.  There is no perceived threat to service delivery as the process has been fully tested previously and the process  / technology works as the spec intends.

Question: will the fingerprint change?  Yes, the fingerprint of the certificate will be different.  The signature on the metadata will remain the same. 

Question: why is the OT using short-lived validation period for the certificate? 

Newly signed metadata will be made available on 29th March 2021 - we need to make sure the time this work is done is respectful of timezones.  We also need to make sure that new federations are fully aware of the process.  

Chris Phillips suggested also sending the information to the security contacts list. Tomasz W does not think there are any specific security implications for this process, however Chris felt this was still an operational change that might be valid for the security contacts to know. 

Support team:
No notable updates - support tickets are very low.

F-ticks:

7 federations are now providing data for the f-ticks pilot and all is working as expected. Turkey was the most recent to join.  More federations participating would be very appreciated.  

The team talked to the GÉANT GDPR officer on advice around the use of this data and good reasons as to why this can / should be shared. 

AAF looking at a project to collect f-ticks within AAF.

Team updates Security team:

https://wiki.geant.org/display/eduGAIN/eduGAIN+Security+Working+Group+Charter+-+eSWG The eduGAIN Security Working Group has had several planning meetings and the information is available on the wiki.  One of the priorities at the moment is defining a base mandate for the team - which is standard practice for incident response teams (RFC2350). 

The eduGAIN Security Incident Response Handbook has been shared with the SG for comment but not feedback has been received.  Comments are welcomed at: Security Incident Response Handbook Feedback.

Re-imaging eduGAIN

Nicole Harris presented initial thoughts on a new eduGAIN model (for slides, see agenda). The biggest change would not require a change of the technical infrastructure, but would rather be how eduGAIN is being used by creating different types of categories and ask both IdPs and SPs to support these categories. Broadly speaking eduGAIN would support three category types: a type around Anonymous/Pseudonymous access, Affiliation Access and R&S Access.
It was recognised this will inquire a massive amount of work. But once a new model is in place it will be much easier for federation operators to provide support for their entities.

Terry Smith (AAF) and Ann West (InCommon) would welcome a new approach that could create consistency and creating some order would be very valuable for the federation operators. 

Chris Phillips (CAF) noted that in these initial thoughts the multi-protocol support with OIDC is missing. Nicole pointed to the results of the REFEDS survey and said for many federation operations the demand for supporting OIDC is rapidly declining. Davide Vaghetti noticed that a solution to this could be in the use of proxy technologies.

Tomasz Wolniewicz (PIONEER.Id) asked if there is a threat to the accessibility and usage of the service for the entities and also how these proposed changes would be communicated with the entities. Nicole replied that the message will be clearer than it is today. For SPs there will be the benefit of getting the information from eduGAIN on what they should support instead of figuring that out themselves. Providing detailed information to entities would also make it easier to adopt the changes.

Implementing such changes would require a new membership agreement and updated policies. 

Future SG Meetings, Any other business, Summary and Actions

Any Other Business: 

CoCov2: best practice guidelines. Still GDPR compliant, only not formally ratified.

Future SG meetings 2021:

23 March 12:00 UTC
15 June 07:00 UTC
14 September 16:30 UTC
14 December 12:00 UTC