Conveners: Brook Schofield, Joni Brennan
Tags: Federation Policy, Trust Frameworks
Attendees:
Brook, David G, Scott, Joni, PGP Guy, Peter, Lalla, Nick, Ruth, Frank, Christos, STFS guy, Anders, Daniella, Roland, xxx, OCLC guy, Patrick, Hannah, Maarten, Richard, Alicja.
Notes
Introduction:
Brook: What incentive (positive or negative) are available to encourage the IDP/SP admins and their machinery to ensure harmonisation.
Joni: How do we move from "country first" to "interfederation first" harmonisation practices.
Main issues discussed
eIDAS only focuses on inter-country collaboration and does not concern itself of the activities within a country. There are policy decisions where possible and in the technical space there are gateways between the countries.
Is it the possibility that then only incentive is €$£ ?
"We" don't have authority over most of these decisions. So how do we make sure our agenda is covered?
1. Sneaky partnerships are great way of getting our agenda presented by those partners that have a seat at the table for higher level discussions.
2. Utilising the services of these partners as a sign of faith in their participation.
Scott works in the research side - not necessary specific to a single country - reputation is an important mark - and "groups" are willing to shop around for a federation that meets the reputation level that they want. There might not be a need to shop around in future - but if there is - it is an option on the table.
Commercial - Money
R&E - Reputation
Govt - Cyber Security
Joni's notes:
Incentivize federations (eduGain) to comply with best practices
Mapping of national / market trust frameworks
One report preliminary was that eIDAS and US ICAM were nearly ~90% identical.
NSTIC (good not so good)
Yubikey is a good example of a > sneaky for good collaboration that works to create gravity
Motivators vary based on some context >>>
Private Sector > Money
Academia > Reputation
Governments > Security and GDP
Perhaps >> Killer App >> Access to resources >>> the cool factor
Example --- retirement portfolio, benefits etc.
Evangelists for the communications of benefits and risks
Austria – discount for students to hardware
Students forced their universities to join that program to get the discount to force IOP
ORCID >> SAML single-sign-on for universities
Incentivize killer apps developers to use standards protocols (SAML etc.)
RAZMUS
Identity portability across cloud is critical but there is not interoperability right now
Standardized adoption tools should be more readily available
Giant Cloud IDPs will drive the standardize
The aim is to convince national programs that it something they should do.
aud1: what IDs is?
Providing technical mechanism, eIDAS doesn’t care about what happens in the country - this is the problem. Mix of policies at the level it is possible to apply.
aud2:
In the private sector business a global connectivity is a must
aud3:
Trust frameworks seems to be monolithically.
Taking a trust framework and breaking apart the strong credentialing from the strong authentication to make it composable and achievable (this pattern applies to other parts of a trust framework as well)
Separating out the jurisdictionally-required parts from the globally-applicable parts so cross-jurisdictional implementation is possible. Making the jurisdictionally-required parts abstract enough so that they can be mapped to similar requirements in other jurisdictions, and documenting those mappings.
Aud 2: the necessity of doing the business is going to drive alive.
The European requirements are much stricter than US.
Aud 4: question about the documents about the mapping
Aud 2: there are on our website - Peter Alterman, Ph.D Chief Operating Officer - SAFE-BioPharma Association.
There is a line toward where the money is.
Joni: so the incentive is money
Aud 3: we get people working around with stuff - organic solutions are starting to emerge
Aud 4: is it better to have a common frameworks or individual?
Joni: I worry about the fact that we don't have the authority about these things. Sneaky partnerships are important! We want to get the people involved (like John Bradly?) and come back to a larger community to review.
Aud3: Example of sneaky collaboration: talking with Yubico to get stuff like PIV implemented in Yubikeys, other things that we need. Diversity is important, there need to be other vendors we can work with besides Yubico on things like that.
Scott: Reputation goes a long way, risk analysis on reputation. We are afraid of security attacks on our reputation. I think that service providers (especially large providers) have the ability to shop around the federations. If one fed doesn’t give us what we need, we will go to another.
Sum up:
Aud: the ‘coolness factor’
“Kind of competition: which country is cooler?”
Brook: an on boarding accomplishment (used on every level of education in Taiwan)
Peter: the digital device doesn’t exist because there are multiple devices, they cannot cooperate with the banking sites and that is a problem
We want to see the value in putting the effort - its money.
Aud: what about the availability of standard tools?
Many of the snowflakes (the administration of it) is coming to having an argument why they are keeping the luxury snowflake instead of the standard one? You need to create a market - nobody is actually taking this step
Aud3: not having the identity on its place is a deal breaker - again organic evolution against ‘good things’. You could get a situation where a lot IDPs don’t have a way to create another snowflakes.
Conclusion
There is no one simple solution.
The issue is that the killer app always works slightly different in each country.
