Versions Compared

Old Version 1

changes.mady.by.user Former user

Saved on

compared with

New Version 2

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: draft cleaned up

KantaraeGovWorkingGroup Teleconference

(CONTAINS ROUGH NOTES -  TO BE EDITED FURTHER!)

Administrative section

DateandTime

  • Date: 4. Nov 2012
  • Time: 11:00 PDT | 14:00 EDT | 20:00 CET | 07:00 NZ(+1)

Attendees

John Bradley, Ping

Sal D’Agostino, ID Machines, USA

...

Thomas Grundel, IT Crew, Denmark

 

1. Agenda review/Minutes approval

Minute taker: Keith.

Quorate call: 7 of 13 voting members. Bob is currently non-voting.

June 4th minutes approved. Colin moved, Denny seconded.

Agenda

2. eGov Charter Repositioning

An e-vote of the eGov members was held at the end of September (and approved the new Charter), after which this should have gone to LC for approval. There was no time on the 10 Oct LC Call. The LC will vote on the 7 Nov call.

3. eGov Membership Invitation Letter

- Status report from Colin

Rainer sent the letter already to a Dutch representative. No response back yet.
Add Jaag Kooper (sp?) to Dutch list.
Colin to dig up the Dutch ebook author.
Keith Williamsy (OpenID Board Member)
The letter won't be sent until the letter is approved by LC.
More names are connectedrequired.
List of contacts is not for redistribution or publication.
Letter will be sent by Joni under her name.

Note: The LC call will is scheduled to be on the same day and time as the next NSTIC call.

4. Face to Face meeting, Washington DC, 31stOct/Nov 1st

- Report from Colin
- any LC issues         
Canceled Meeting was canceled due to Hurricane Sandy

5. Privacy Enhanced WebSSO

Proposal of a new work item from Rainer: CA, NZ and now UK have extended SAML WebSSO or are in the process to do so to implement a non-tracability requirement for identity and attribute providers. A collection and comparison of approaches, architectural designs and extensions of SAML profiles would be useful in particular for private-public federations.

Colin present presented the requirements of NZ

  • you can't move personal information from one domain to another without specific user consent.
  • the best way in their opinion is to get consent at the time of the event
  • SAML AQ profile was ideal, but is backchannel.
  • NZ had requested a browser-based binding of

...

  • Attribute Query

John Bradley:
AQ is broken in a few ways.
It does not support actually support evidence of consent. THe The consent is collected by the wrong party (SP, not the IDP).

In the UK, they had a similar situation (Matt Trigg(sp?))
NZ used a mix of back and front channel techniques based on the use case, including use of WS-Trust.
The Change Notify protocol OASIS SSTC (Phil Hunt, Oracle) works in the front channel. The title is strange, but the flow seems to work for front channel interactions
David Simonsons of WAYF.dk can do front (spring flicker?) and back channel attribute exchange. Front channel was a proposal in a TERENA pilot project. It was found to be unstable in the case of when multiple attributes need to be queried in sequence.

Q. How many use cases have more than one Attribute Provider in addition to the IDP.?

NZ is building a consent service to get around a centralized consent register.
There are issues in getting the consent information and the user information at the same time.

John Bradley: Most people are doing this with oAuth.
Colin: The current architecture is SAML.

UK's matching service,

Allan:
idp
x2 Discussion of IDP with two AAs (attribute authority)

Q. Is it possible to standardize this in any way so that it would a solution used across multiple governments.? Or become a standard product feature?

Internet2 has won a contract to provide a privacy-enhanced version.
solution - "uApprove style
----
"


User experience discussion: 10 dialogs vs one

How do you have multiple consent services, which could provide a common consent dialog?

It depends on what is the relationship between the attribute provider and the consent service.

1. UMA-like consent service
2. Attribute provider manages consent on their own

OIX attribute exchange network is looking at attribute release.

Colin: Would it not be better, to see what the funding possibilities are - are those projects which have got funding, are they usable in this case?

This new work item proposal is sufficiently overlapping with the NSTIC pilots - perhaps it's better to wait for them?

The work item would include:
Couple of stakeholders, privacy requirements, solutions and discussion
Not a standardization activity, rather a review of current solutions and needs
with a view for interoperability and standardization

Not too technology dependent (XML, JWT).

Steven Dunn
processed their first SAML assertion 3 or 4 weeks ago
building a proxy using OpenSAML to proxy basic SAML assertions
Matt Trick (UK) was concerned about the matching service on the Service Provider side
Holes in the concept
DWP DWP will be deploying
Creating good practice guide for proofing on several dimensions
Scott Cantor has been reassigned.
Agree
AP: Agreed to collect the use cases and solutions on the eGov wiki.
If we can do that before the next call, great.

The UK is willing to release documents/information
CA stuff is specs are already open
NZ is posted use cases have been posted on the eGov wiki (more coming)
Some way
We need some ways to compare approaches.

We will collect material
AP: Rainer: create wiki page for page
6. Your agenda items.

 

 

A.O.B.

-

adjourneduse cases and solutions

Next Monthly Meeting: 

  • Date: Monday, December 3, 2012
  • Time: 11:00 PDT | 14:00 EDT | 20:00 CET | 06:00 NZ(+1)
  • Please use Skype or US local access numbers where possible.