View Source

DRAFT - Meeting Notes - 2010-06-21 Conference call - DRAFT

Attendees

Arlene Allen, UCSB
Curtis Bray, UCD
Dede Bruno, UCOP
Chet Burgess, UCOP
Dedra Chamberlin, UCB
Patrick Flannery, UCD
Gastón DeFerrari

Matt Elder, UCSD
Declan Fleming, UCSD
Eric Goodman, UCSC
Greg Haverkamp, LBNL
Karl Heins, UCSB
Datta Mahabalagiri UCLA
Jeff McCollough, UCB

John Ober, UCOP/CDL
Bob Ono, UCD
Surya Narayana, UCSF
Brian Roode, UCI
Andrew Tristan, UCR
David Walker, UCD
Albert Wu, UCLA

Notes

Quick updates

UCTrust Workgroup and ITLC - Follow up

UCTrust ITLC - Weren't able to summarize in time for prev. meeting.

UCTrust did review current status (at prev meeting) and agreed message is ready to be forwarded to ITLC

Federated Wireless Access - attribute assertion standards

Workgroup is meeting for first time tomorrow (6/22) at 9:00AM.

Each network needs to allow access to Shib IDPs before user can be authenticated.
Needs definition from an attribute definition point of view (e.g., will we release email for contact purposes?)
Requires web-portal for login (using Shibboleth) that can be modified to have an SP

David points out that frequently there are two wireless systems on campus: one unencrypted, using a web portal to authenticate user; the other use 802.1X.

The project for now is to focus on federating the web portal fronted wifi network.

The eduRoam Project is looking to federating 802.11X-driven access in some way.

(This item is here as an update item, not action item, but UCTrust reps should think about what issues need to be addressed by the Federated Wireless Access workgroup.)

InCommon certificate program - update

latest FAQ on InCommon site (pdf)

The program will initially only issue server certificates, though code signing and personal certificate are part of the license, and coming soon.
Berkeley is an early adoptor. issuing certs thru program now, evaluating tooling.
Berkeley is deploying a delegated administration model - still working thru process
Berkeley is funding the program centrally through two offices, the Office of the CIO and (Dedra: could you fill this in?)
UCLA is seriously considering signing on once the program goes live.
UCSC is interested; working through cost/funding.
UCD is evaluating user interface and funding model issues.

There is brief discussion on the possibility of UC joining as a system (there is potential additional savings for joining as a System. David will look into cost. If there is intereset, we'll pursue further. The initial take from the group is that the savings probably won't justify the added administrative overhead to coordinate among campuses. UCSB also mentioned that due to low certificate usage on campus, it likely won't be interested in subscribing to the InCommon license.

eAcademy update

Microsoft responded to UCLA's inquiry. It wants the campuses to assert who is eligible (instead of eAcadamy's suggestion that the individual can self certify license entitlement).

This means campuses will need to track and assert an individual's eligibility to participate in the Work At Home license. The assertion will likely be made through IDP Attribute Responses(perhaps a value in eduPersonEntitlement).

Albert will schedule a follow up call between eAcademy and interested UC campuses representatives in the next 2 weeks.

ITAG's User Provisioning/Middleware Project

The project is looking to create a definition/description for a bus-orientated service to enable cross-campus user provisioning. Existing use cases include user provisioning needs in LMS, Connexxus, (and UC Ready?)

A working group, consist of 5 people from ITAG already exists. David is looking for additional UC Trust volunteers. Interested party please contact David.

Agenda Items

InCommon Silver Update

News from InCommon TAC - InCommon is working with federal agencies to review
whethere InCommon Silver can be considered equivlaent to NIST LOA2
Several campuses have reviewed the requirements, some are concerned about the ability to meet the requirements:
- UCLA will need to make substantial procedural and technical changes to its credentialing process - it's already planned and will be underway in 2010.
- Berkeley (and several other campuses) continued to be concerned with the clause requiring the IDM system to store SB1386 sensitive ID numbers. It isn't clear as to whether the ID numbers need
  to be stored. If so, does it have to be stored electronically? Will paper records count? What is the retention requirement?
David will follow up with InCommon TAC to reiterate UC's concern regarding the collection/storage of ID numbers.

Library's Use for Shibboleth

The library side is working to contact each campus's IDP to respond to the questionnaire.
UC Trust WG will put up a page on wiki to collect responses from campus IDP reps.
The Library side is forming a technical group.

Discussion of SAML2 usage (not Shib)

Several campuses are running (or will soon be running) IDP 2.

A few campuses supports/will support SAML 2 through IDP 2.

Reminder: Internet2's Shibboleth 1.3 support ends on June 30, 2010.

There are some well known SAML 2 SP's (Google), though it's not yet widely requested.

InCommon's WAFY does not yet fully work with SAML2. Is this a priority to pursue
with InCommon

Do we want a UCTrust specific discovery service?

Face-to-face meeting

The chairs will schedule a face-to-face meeting in September. Please send agenda suggestions to Dedra and/or David. Current agenda ideas include:

Provisioning
InCommon Silver

We may possibly combine the meeting with a face-to-face Sun IDM SIG meeting.

The group had agreed to move to a bi-monthly call schedule, but decided to continue the call monthly until the September face-to-face meeting. The group will determine future meeting schedules at the face-to-face meeting.