SALSA-NetAuth - FWNA October 19, 2006

SALSA-NetAuth - FWNA Working Group conference call
October 19, 2006

*Attendees*
Kevin Miller, Duke U. (co-chair)
Chris Misra, U. Massachusetts
Walt Reynolds, U. Michigan
Richard Conto, Merit
Andy Rosenzweig, Merit
Rich Cropp, Penn State U.
Steve Carmody, Brown U.
Steve Olshansky, Internet2
Jessica Bibbee, Internet2 (scribe)

New *Action Items*
[AI] Group will continue to review RADIUS-SAML documents and discuss via the mailing list.
[AI] {John} will forward his thoughts on attribute security.
[AI] {John and Steve} will further discussion of RADIUS-SAML integration offline before the next working group call.

Carry-over *Action Items*
[AI] {Kevin} will initiate the documentation of additional requirements for a relay/proxy server. (24-Aug-06)
[AI] {Philippe and John} will create a summary of the path that a request makes, for the sake of troubleshooting. (24-Aug-06)
[AI] {Kevin} will connect the local RADIUS administration folks at Duke to the FWNA-Ops list. (23-Feb-06)

*Agenda*
1. NetAuth Working Group – update from Chris
2. Operations update - successful connections?
3. SAML/Shibboleth & RADIUS integration - resume from last discussion

*Discussion*
{Chris} reported an update on activity in the SALSA-NetAuth Working Group. Originally, there was enough work that FWNA topics gave reason to spin off the now SALSA-NetAuth FWNA Working Group. While the NetAuth WG has produced several documents, the call topics have slowed and will therefore merge with the FWNA WG calls. The next SALSA-NetAuth WG call will likely be cancelled, joining the two working groups two weeks from today, on the normal FWNA WG call time. A combined agenda will be sent to both mailing lists, but with a single call time and bridge information. [AI] {Chris} will send out an announcement of the merging of the NetAuth and FWNA WGs conference call time.

{Steve C.} explained the diagram in his draft profile of RADIUS-SAML integration, which benefited from additional insight from {Scott Cantor}. He outlined some of the changes listed in each section of the document, focusing on the specific steps within the diagram. Read the details of {Steve C's} first draft of a proposed RADIUS-SAML integration at: <http://stc.cis.brown.edu/~stc/Projects/Projects-using-Shib/eduRoam/Radius-SAML-Profile-v1.html>. [AI] Group will continue to review RADIUS-SAML documents and discuss via the mailing list.

The RADIUS-SAML discussion raised several questions that will fill in missing elements of the document:
- How, in Step 6, does the Attribute Authority know not to act as a proxy?
- What happens if a false response pointed to an alternative authority?
- What will be the timing of the transaction to the Attribute Authority? For each step in the diagram? If the answer is 'very fast', how can it be more explicitly detailed?
- Will credentials in strange networks (i.e., using Brown credentials in India, etc.) impose any problems?
- What would a static outline of the trust relationships look like?

{Richard} pointed out that if R1 has to validate AA, it could easily introduce delays. {Steve C.} thinks the Shibboleth metadata can be extended to talk to federations. An understanding of the current Shibboleth operation is key to understanding the relation of the RADIUS profile to SAML. [AI] {John} will forward his thoughts on attribute security. [AI] {John and Steve C.} will further discussion of RADIUS-SAML integration offline before the next working group call.

The next SALSA-NetAuth - FWNA WG call will be held on Thursday, November 2 at 11am EST.