Versions Compared

Old Version 1

changes.mady.by.user Colin Wallis

Saved on

compared with

New Version Current

changes.mady.by.user Colin Wallis

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migration of unmigrated content due to installation of a new plugin

 

Kantara FIWG Teleconference 

Table of Contents
maxLevel3
minLevel3
typeflat
separatorpipe

Date and Time

  • Date: 10 07, JanuaryFebruary, 2013
  • Time: 13:00 PT |16:00 ET

Attendees

  • John Bradley, Ping IdentityNate Klingstein
  • , Internet 2Keith Uber, (Ubisecure)
  • Scott Cantor, Internet 2
  • Rainer Hoerbe, KisMed Austria
  • Matt Tebo, Protiviti
  • Colin Wallis, Internal Affairs Dept, NZ Government
  • Rich Furr, VerizonJordan Packham, Protiviti
  • Andrew Hughes (staff)

Apologies

Agenda

  1. Administrative - roll call :  Minutes from Dec 20Jan 10 ;Election of Chair (We should have done this in Dec but forgot.)Officers
  2. FEDLab SAML tests update
  3. UK Gov Profile
  4. eGov 2 Profile - Leif & Colin report on conversation with Anil John? 
  5. SAML 2 Int Profile (Profile updates,  Wiki page)
  6. Federated Interop patterns
  7. Kantara, OIX and other meta-data aggregator projects.
  8. Your agenda items

Minutes

1. Administrative - roll call

Summary:

  • Non Quorate call Dec 20 (noting that voting members (Anil J, Mary R, Hank M) with persistent non attendance will be dropped)
  • Jan 10 Minutes: Moved Rainer, Seconded Nate
  • Unanimous agreement to new elections for Officers; Nate and Alan nominated as Co-Chairs, John B nominated as Chair. Action: John to talk to Heather to put call for nominationsvote
2. FEDLab SAML

...

test harness update - -
  • JB suggested RH check with Rainer for the FEDLab test strategy latest update.
  • Since the last call RH has discussed JB's issues with Roland H. A conflict of objectives perhaps? 
  • The current proposal is to structure the test using Python in order to extend use cases and parameterization, and thus not necessary to to configure things intot he test cases.
  • JB: Andrews?? has additional requirements - was RH aware?
  • RH: Yes, need more than True/False responses when doing SP Authn, but didn't happen. Need to turn off (T/F only?) and exchange fault reporting  meta data.
  • JB: Need to decide if we want to download a pre-configured IDP vs Joni's notion of a per-configured test harness hosted by Kantara.
  • RH: Austria currently run SPs through a set of tests, expecting SPs to download and run. RH can't see how it can be done from a centralized repository.
  • JB: OpenIDConnect does both but primarily use the centralized.
  • MT: Test SPs now a realistic option over the internet.
  • ??: If it is financed by GEANT as an EU project then is it appropriate for KI to run a service and claim some kind of IPR?
  • SC: It may be OK for KI to run it under a 'right to use' license, but the code remains opensource.
  • MT: Both approaches would get market traction in his opinion.
  • JB: So a scenario could be that there is a free download for anyone wanting to use, or a KI one that has some more services and features but notably ends up with certification and a Trustmark. Or an extension of that scenario where KI offers a deployment profile  test, for, say SP or IDP to run a test to see if it conforms to FICAM. And the free one is used as a precursor to conformance test, and subsequent certification.
  • MT: The added value is for the KI community to share test cases.
  • JB: There's value in the test cases themselves, but they are completely separate from the test harness itself.
  • JB: What is the next step?
  • RH: Roland H needs a month to build a proof of concept.
  • MT: The KI community should contribute use cases to a centralized (cloud based) site.     
3. UK Gov Profile

Summary: UK Govt is novating the contract with IdPs for Authentication. Unclear what the substitute contract will contain. RF says discussions continuing with vendors.

4. eGov 2 SAML Profile
  • MT: FICAM looking to exit the 'profile business' and wants to adopt/extend an existing profile.
  • JB: Is that to be a deployment profile of the eGov 2.0 SAML conformance profile, along the lines of SAML2Int? -  a fairly small delta from FICAM???
  • MT: Never going to be 100% alignment between eGov 2.0 SAML conformance profile and FICAM - the 800-63 'problem'.
  • SC: Agreed re the 'problem' but more than that...privacy stuff sandwiched into technical profiles.
  • MT: 'adopt/extend an existing profile' might have the effect of reducing FICAM from 40 pages to 3 maybe...
  • MT: FICAM is ...considering??  (notes indecipherable) .... SAML2Int, maybe with HoK.
  • JB: Should not include BAE and PKI bridge stuff either.
  • CW: Should I get permission from Leif and Anil to circulate their email thread at the time Leif and Colin reached out? Agreed as an action.
 5. SAML 2 Int Profile

Discussion: Combined with (4) above.

...

  • worked with Roland to update Test Harness doc (back end).
  • RH worked with Andreas on the GUI front end management tool
 3. Federated Interop Patterns

The group discussed RH's Fed Interop patterns doc submitted and had got considerable comment:

http://kantarainitiative.org/confluence/display/fiwg/Federation+Interoperability+Patterns

Matt: Need a Privacy Layer

Keith: Need a Attribute Authority/Provider (in SAML Attribute Query) Actor as a sub set of IdP actor

Matt: Or is it FO-FO? (John) It is generically called Attribute Provider rather than Attribute Authority.

?: What about a Consent Service Provider as an additional Actor?

Keith: Add Discovery Service as a new Actor

Rainer: Rename Legal to Legal and Contractual Layer for clarity

4.  Kantara, OIX and other meta-data aggregator projects

Discussion: JB meeting Leif re the possible ISOC and R&E peering between OIX and Kantara aggregators. Ping has a pilot in play for SPs using Ping Federate clients (repeated from last call..?). The pilot is in 2 Parts: First, getting meta data into same IdP, and Second, how to manage the ...accumulation?... (notes indecipherable).. of 3rd parties' attributes as federations grow. Non R&E feds wil have to use R&E methods before long.Matt: PKI vs meta data - pros and cons. Typically PKI is favored by govt and MD is favored by Higher Ed. Mapping is hard and enforces arbitrary decisions like MD at LoA 1,2,3 but not 4.  PKI at LoA 3.5 and 4.

?: Where is Kantara and OIX in the Trust Framework business. (John): Kantara is not a federation in that it doesn't necessarily represent those that are certified by it. OIX is a kind of federation because its members are represented. But Certification not done at OIX (beyond LoA1)

 

7. Your Agenda items

None raised..and no more call time left.

Next Meeting

  • Date: Thurs 24th21st, JanuaryFeb, 2013
  • Time: 13:00 PT | 16:00 ET | (Time Chart)
  • Dial-In: +1-218-862-7200
  • Code:

...