2012-06-12 Getting Ready For InCommon Assurance

Title

Getting Ready For InCommon Assurance

Presenters

Benjamin Oshrin (The Oshrinium LLC)

Date and time (EDT)

June 12 10:45 AM

Room

Tower 1406

Facilitator

 

Description

InCommon Assurance profiles (Bronze and Silver) define standards for credentials in a federated environment, allowing service providers to have faith that the users from your campus have been properly vetted and are, in fact, the ones authenticating to their services. Campuses are starting to prepare for compliance with these profiles, as various services (especially at the federal level) are likely to require them in the coming years.

Discuss the current state of the bleeding edge with fellow early adopters, or learn the basics if you're just getting started. This BoF will be light on presentation and heavy on conversation.

Materials

Attendees

  • Benn Oshrin, The Oshrinium LLC
  • Bryan Wooten, University of Utah
  • David Bantz, University of Alaska, Fairbanks
  • Chuck Hedrick, Rutgers
  • John Kamminga, UC Merced
  • Celeste Copeland, UNC Chapel Hill
  • Jim Vales, Unicon

Minutes or notes

  • What are the use cases? Still need drivers for assurance. Lack of SPs still an issues
  • Guidance for auditors would be helpful
  • Complaints about password lifetime expiration when changing passwords makes it harder for people to remember it
  • Issues about passwords having to be applied at LDAP server which forces policy to be applied to everyone, not just silver people, which increases support overhead
  • U of Arizona dynamically sets password expiration based on entropy of password selected
  • Barrier to agencies accepting university IAQs in that individual universities still need to negotiate to be added to SP DSs
  • SSL Termination at the network appears to be unacceptable, but clearly it's an OK pattern. Could there be guidance for auditors from InCommon on this?
  • CIFER password management tools could facilitate IAQ compliance
  • Can school ID card #s be used for reset? What if it's a state (ie: government) school?
  • Charging $5 for password reset via credit card might be half compliant for remote proofing and also a "good" idea (in discouraging lost credentials)
  • If you certify to silver, can you assert bronze too, or do you need to certify to bronze as well?
  • Is CIC is still actively pushing forward on silver compliance?
  • Potential need for (eg) commercial solution providers to help with audit

Â