SALSA-NetAuth - FWNA conference call August 24, 2006

SALSA-NetAuth - FWNA conference call
August 24, 2006

*Attendees*
Kevin Miller, Duke U. (co-chair)
Chris Misra, U. Massachusetts
Philippe Hanset, U. Tennessee
Mike Coffey, U. Tennessee
Steve Carmody, Brown U.
Mark Poepping, CMU
Rich Cropp, Penn State U.
Steve Olshansky, Internet2
Jessica Bibbee, Internet2 (scribe)

New *Action Items*
[AI] Group should contact {Chris} with proposals for FWNA-related sessions to be held at the upcoming Internet2 Member Meeting.
[AI] Group will review and add to {Mark's} page in the wiki regarding the general problem statement of the FWNA Working Group, or start a thread in the mailing list.
[AI] {Kevin} will initiate the documentation of additional requirements for a relay/proxy server.
[AI] {Philippe and Mike} will create a summary of the path that a request makes, for the sake of troubleshooting.

Carry-over *Action Items*
[AI] Group will gather approaches for solving incident response aspects of guest access at various institutions, and will submit information to {Chris}. (12-Jul-06)
[AI] {Kevin} will talk to {Mark} about continuing discussion on 802.1x implementation. (15-Jun-06)
[AI] {Kevin} will connect the local RADIUS administration folks at Duke to the FWNA-Ops list. (23-Feb-06)

Future *Agenda Topics*
+ Group will continue discussion on certificate management. (15-Jun-06)
+ Group will discuss attributes and experimentation around a contact # attribute. (20-Apr-06)
+ Group will think of local site requirements for security, logging, and access to utilization of information in the context of Eduroam, where non-local users are involved. (3-Nov-05)

*Agenda*
1. Discussing the short, medium and long term goals/project plan
2. Upcoming Events – Fall 2006 Internet2 Member Meeting – Call for Session Proposals

*Discussion*
Planning for the Fall Internet2 Member Meeting in Chicago, December 4-7 is underway, with a Call for Participation link at: <http://events.internet2.edu/2006/fall-mm/calls.cfm>. There will be another SALSA-NetAuth / FWNA BoF at 7:30am, Tuesday morning. Are there other topics of interest for submitting in the FWNA context? There is currently one session proposal for the 802.1x aspect of FWNA, and {Rich} has agreed to share Penn State's use case. It is desired to have one more campus willing to discuss what they are doing in this space. [AI] Group should contact {Chris} with proposals for FWNA-related sessions to be held at the upcoming Internet2 Member Meeting.

The Group reviewed {Mark Linton's} recent wiki page, which addresses the future direction of FWNA Working Group efforts: <https://wiki.internet2.edu/confluence/display/FWNAWG/Problem+statement+to+address+moving+forward+with+FWNA >.There was a suggestion to make this problem statement more general, so as not to exclude items beyond a visiting scholar. [AI] Group will review and add to {Mark's} page in the wiki regarding the general problem statement of the FWNA Working Group, or start a thread in the mailing list.

There are privacy concerns surrounding requirements for the inner and outer tunnels to have the same identity. {Chris} suggested having the ID in context to the domain of the home institution. Using LDAP, it may be possible to have the real name act as a sort of handle. If an ID is opaque and persistent, you would be able to block that person, and then follow up at their home site. This eliminates blocking an entire realm, as would be the case if you needed to block an anonymous user.

{Kevin} explored additional requirements that might exist, e.g., on storing a handle or the logs associated with that handle. While it is clearer what requirements might exist around the home or visited institution, it is not clear which requirements, if any, have been established for the proxy server. {Philippe} has already done some work on top-level server aspects, and this could be continued to identify data that is or is not desired, which is policy constrained, and which is particularly useful. For example, does opaque data passing from the home institution need to be recorded? There should be adequate logs in case the relay server errors in passing data. These requirements may suggest a different model than what Europe is working from. An additional item to consider is how or when to restrict/prevent information from being passed. {Philippe} suggested making a list of maximum criteria today and comparing it to a wish list. [AI] {Kevin} will initiate the documentation of additional requirements for a relay/proxy server.

While instantaneous logging is visible, it is the historical logging that will be useful should it be needed. Which data is wanted or expected at each point in the process? [AI] {Philippe and Mike} will create a summary of the path that a request makes, for the sake of troubleshooting.

{Chris} raised the last item of discussion, regarding guess access and role and how FWNA addresses this as it pertains to current campus' guest access issues. Where do campuses see the benefits of FWNA in the immediate term? Is there an extension of what FWNA is doing within the middleware Identity Management space? {Steve C} commented that guest access fits into the upper middleware, though it is not at the application level. Not all guests are alike; this is an issue that needs to be explored and possible differentiations specified, based on which kind of a guests exist. {Kevin} suggested that there may be value in focusing on presentations, as opposed to mainly documentation, in effort to gain momentum through community support.

The next SALSA-NetAuth - FWNA WG call will be held on Thursday, September 7 at 11am EDT.