*Action Items*
New
[AI] {SteveO} will post I2 document standard links to the WG’s website.
Carry Over
[AI] {Chris} will post changes to Strategies document to the list.
[AI] {Kevin} will incorporate WG comments into the next draft of the Futures
document and submit it to group.
[AI] {Chris} will solicit from the WG contributions about NetAuth vendor solutions
currently being used.
[AI] {Mike} will provide a brief summary of ESnet collaborative trust domain
commonalities.
[AI] {Individuals} will via the list send proposed topics for the Spring I2
member meeting in response to the call for proposal to the group.
[AI] {Individuals} will send in case studies for potential use in the Strategies
document.
[AI] {Group} will review slides posted for EDUCAUSE regional group meeting.
[AI] {Group} will review information to be used as the appendix for the Strategies
document.
[AI] {Chris} will find editors to help with the appendix of the Strategies document.
[AI] {Chris and Mark} will develop the NetAuth approach to NAT devices as a
discussion topic for submission to the Effective Practices WG.
[AI] {Group} via the list will send suggestions for use cases augmenting the
Strategies document.
[AI] {SteveO} will submit the Strategies document to the Internet2 document
library once it is considered draft three.
*Participants*
Chris Misra, U. Massachusetts (chair)
Jon Moore, University of Pennsylvania
Kevin Miller, Duke University
Eric Gauthier, Boston University
Ken Klingenstein, Internet2
Rich Cropp, Penn State University
Kevin Amorin, Harvard University
Robert Lowe, Lawrence University
Mark Poepping, Carnegie Mellon University
Terrie Clark, Internet2 (scribe)
Steve Olshansky, Internet2
*Discussion*
In considering possible NetAuth solution(s) for a federated environment, it was noted that NetAuth approaches at individual institutions currently primarily address solutions deployed in stand-alone environments with local users. Some institutions express reluctance in accepting credentials from other institutions, although the increasingly collaborative nature of the R&E community make this a difficult position to maintain. It is possible to authenticate users at their home security domains and authorize access to content, services, etc. elsewhere through the secure passing of credentials (e.g. using SAML/Shibboleth). The federal government has developed a program granting states access to grant information by providing user names and passwords to individuals desiring to access the information. While this solution does not take advantage of newer and more efficient (e.g. federated) access, it was widely accepted by most states.
The area of federation using attribute-based credentials is convergent at this time. Shibboleth, the Liberty Alliance and Microsoft provide solutions to the issue that appear to be converging. By and large the major players seem to have acknowledged that eventually the focus will move from creating federation software to creating actual federations. Internet2’s InQueue federation currently has more than one hundred universities as participants. And, the Internet2 operated InCommon Federation provides a unified policy framework to universities that may catalyze changes in local ID issuance and management.
Shibboleth has been tested in the federal E-Authentication lab. For more information please see http://www.cio.gov/eauthentication/. While progress in the area is positive, challenges remain in providing a common framework for acceptance of credentials by the federal government. The E-Authentication web site provides a list of requirements, including but not limited to password reset, photo ID’s, tokens and smart cards to assist organizations in providing adequate ‘security’ measures for federal acceptance of the organization’s credentials. Some universities view this as an opportunity to modify and subsequently improve security practices. The policy efforts in the area should begin soon. Internationally, several countries have begun building federations.
The NetAuth WG may have the opportunity to present WG related topics as part of a track session at the Spring I2 Member Meeting. Suggestions for topics should be sent to the group via the list. Additionally, a BoF for the WG is under consideration for Tuesday morning during the Member Meeting.
The FWNA BoF at the Joint Techs meeting was well attended. Multiple topics
were discussed including separate policy issues for authorization and authentication
and identity location services.
The Futures document will be updated providing more detail in the requirements
section. It was decided to format the document in an RFC-like fashion under
the auspices of the Internet2 SALSA document guidelines. The IETF OPSEC Working
Group addresses operational security from the network service provider’s
point of view. This will be reviewed to ascertain potentially synergistic efforts
and to understand the IETF taxonomy relevant to the work of the NetAuth WG.
http://www.ietf.org/html.charters/opsec-charter.html
NetAuth WG members will be participating in the upcoming EDUCAUSE Regional
meeting (NERCOMP - http://www.educause.edu/nc05), and the Security Professionals
Conference
http://www.educause.edu/sec05.
The next call is Thursday, March 3, 2005 at 12:00 PM ET. An agenda with the
call in number will be sent out to the WG via the list prior to the call.