Notes from the 10/24/2006 UCTrust Identity Management Meeting at UCR

Status Reports

AYSO is nearly ready for production use. Some issues regarding the language presented on a user's first entry to AYSO via UCTrust are being resolved. Gabe Lawrence demonstrated AYSO access from UCSD's Blink portal. (See uctrust-ayso1.html, uctrust-ayso2.html, and uctrust-ayso3.html.)
David Walker is working with UCOP's web service group to create a repository of the UCTrust certifications with access controlled via UCTrust.
Campus status is summarized under UC's Identity Management Roadmap below.

Adam Cohen of UCOP discussed the Effort Reporting System's (ERS) upcoming UCTrust interface. (See ERS_and_UC_Trust.doc.)

In general, the attributes needed by ERS are maintained by the campuses and have identifiers already defined by UCTrust or InCommon. We will, however, need to define a new identifier for UC Employee ID (or reuse one from the old PKI project).
The "Active Indicator" is, strictly speaking, a permission and will require some more thought, as we haven't yet defined any permissions, and it is not clear who is responsible for setting it. In general, though, the consensus was that it makes sense to define as a Shibboleth attribute.
There was discussion over the appropriateness of using employee ID, as opposed to UCnetID, since UCnetID could be used to map to employee ID. Doing so, however, would increase the complexity of other systems, and employee ID is used by many systems currently, so it was felt that defining a UCTrust attribute for employee ID would be a good idea. It will be defined as a "scoped" attribute to disambiguate IDs assigned by different campuses.

UC Grid will enable sharing of cluster computing resources within UC. The pilot implementation will be based on UCLA's grid portal software, which is based on the Globus Toolkit. The Globus Toolkit currently uses X.509 digital certificates to authenticate users, although there are ongoing discussions of using Shibboleth as an alternative.
Initially, UC Grid will use UCTrust to authenticate users to the certificate issuing process. The evolution of the Globus Toolkit will be tracked to achieve more integration in the future.

Other applications on the horizon for UCTrust include campus learning management systems, particularly Sakai, and the system-wide human resources training management system.

Andrew Tristan gave a presentation on UCR's identity management system [PDF, OpenOffice].

The progress summary distributed with the agenda was updated to produce UC Identity Management Progress as of 10/24/2006. (Apologies to Arlene for not including UCSB's schedule during the meeting.)
It was decided that the column labelled "3. Campus refines its identity management processes to meet UCTrust's requirements" is redudant with the next column ("4. Campus certifies that it meets UCTrust's requirements"), so it will be removed from future versions.

The 10/6/2006 draft of Ensuring the Validity and Correctness of UCTrust Security Information was discussed, and the following issues were raised:

There is a risk that an old version of UCTrust metadata might be redistributed, either from the UCTrust metadata repository or from a server that is spoofing the official UCTrust repository. We will add information to the metadata to allow Credential Providers and Resource Providers to detect this.
It was suggested that X.509 certificate signing be used, isntead of the proposed PGP signing.
It was suggested that the metadata be encrypted, as well as signed.

The UCTrust Federation Administration at UCOP will be the initiators, as described in the document. Volunteers were solicited to be the certifiers, the people who review metadata changes that have been proposed by the initiators.