InCommon Federation Discussions About Online Student Services

["Ann West" <>]

InC-Student: Notes from 12/12/2008
------------------------------------------------
Andrea Beesing, Cornell
Karen Hanson, UW-Madison
Scotty Logan, Stanford
RL Bob Morgan, Washington
Ken Servis, USC
Bruce Vincent, Stanford
Ann West, Internet/EDUCAUSE (scribe)

Action Items
-----------------
- Charlie will talk to NSC CIO Doug Falk and Meteor Project Manager Tim 
Cameron as well as independent contractor Tim Bornholtz who's working on the 
NSC/Stanford Project, will find out more about their plans and report back to 
the group.

 - Jim will work with Tom  to develop the requirements (estimated number of 
attendees, facility needs etc.). If you're interested in participating in the 
planning or attending the meeting, contact Jim or Tom.

Notes
-------

Updates

National Student Clearinghouse (NSC)/Stanford pilot - Stanford has their test 
Shibboleth identity provider software running with the temporary attributes 
needed by NSC. In a separate but related project, Stanford is starting to 
develop a gap analysis comparing their current practices and NIST level of 
assurance 2/InCommon Silver Attribute Assertion Profile.

Bob reported that GSA will be creating an umbrella agreement with InCommon 
that would cover all federal agencies. The result would be that any agency 
could start offering InC apps without having to go through the contractual 
process.

Ann presented earlier in the day on the InC Student work at the Federal & 
Higher Education PKI Coordination Meeting and mentioned our interest in 
working with PESC on defining the new attributes needed for the NSC pilot. 
Michael Sessa, Executive Director of PESC, was at the meeting and was very 
supportive and offered to contact Ann about how we could work together. Later 
in the meeting, Michael presented on PESC activities and mentioned that a 
number of financial institutions have dropped their memberships and, because 
of this, the Board was now underscoring core values in their mission and 
rehoning their prioirities in these troubled times.

Upcoming Meetings

- AACRAO meetings - tabled until the next call

- Educause session proposals due Feb 17 and Preconference sessions are due 
Jan 12. Ken S. will be again leading the Registrar CG. The group talked about 
submitting proposals on outsourcing of services and will continue this 
conversation on the next call.

Round Robin

- Cornell is reconsidering the outsourcing of student messaging to 
google/microsoft because of the issues with single sign-on across the web and 
non-web clients. Shibboleth, for instance, works in the web environment, but 
not with an IMAP email client like Thunderbird or an iPhone.  And IT is 
unwilling to say that they will only use web-based federated services, given 
the need for a consistent experience. There has been an interesting 
discussion on the EDUCAUSE IdM Constituent Group about this very issue. David 
Bantz from Alaska sent out a rough methodology matrix summarizing the 
architecture choices on the IdM list.

Bruce asked about the possibility that both OpenID and Federated IdM will be 
supported by InCommon. Bob mentioned that the UK released a report on 
OpenID's benefits and risks and were fairly reserve about it. The UK interest 
isn't around OpenID per se, but the notion that one needs a 
flexible/integrated identity solution that can span social 
networking/consumer sites and more formal requirements. In the industry, it's 
viewed as a user centric/controllable id to which you can attach affiliations 
for work, personal use, etc. It's a hard nut to solve.

- UWashington/MACE - Bob recently attended a presentation by a number of 
security professionals regarding the ease to which one can compromise social 
networking authentication/identity and services. There are lots of security 
holes that can be exploited, both technically and socially. A cited example 
entailed an individual setting up a fake ID of a well-known person (with the 
real person's permission) and having lots of people link and offer services 
to their fake persona. This isn't new, but it was interesting to note that 
social networking sites see a lot of these exploit opportunities as features 
that users can use to tie things together or do unusual things. But what 
about integrating our enterprise with these sites, given these concerns? 
There is a growing interest in linking the enterprise with the sites where 
students hang out electronically.

CAMP - The speakers have almost all been identified and you can review the 
program at the website. Please send any questions or comments to Ann.

Next Call
------------
January 9, 2009 at 3:00 pm Eastern