UC Identity Management Conference Call
- 11/3/2004 - Notes
Participants
- Mike Baptista, UCOP
- Jacqueline Craig, UCOP
- Bruce James, UCOP
- Gabe Lawrence, UCSD
- Brian Roode, UCI
- David Walker, UCOP
- David Wasley, UCOP
- Jerry Wilcox, UCOP
- Albert Wu, UCLA
UCFY Prompts in UCTrust Enter Point
The issue of what information UCTrust will request from the user after
being invoked by Shibboleth is still an open issue. I will be
scheduling a conference call with Kris Hafner and the three campuses'
CIOs to discuss the issue. I will also add UCTrust governance to
the agenda for that call.
Draft UC Trust Policy
The 11/2/2004 draft of UC
Trust: University of California Identity Management Federation
was discussed.
- A new bullet was added describing the handling of "legacy"
identities that may have been identified or registered prior to current
identity management practice. There will be some rewording, but
the intent is that these "legacy" identities must be re-verified as
they are used within UC Trust if the legacy identification and
registration processes were not as strong as current processes.
- The requirement for confirmation of identity by sending a
notification to a person's electronic mail address, telephone, or
postal address (7.b.ii) will be reworded to make its intent clearer.
- A bullet was added to indicate the intent to create higher levels
of assurance in the future. That assurance can be reflected in
any of the identification, registration, or authentication phases.
- Ideas for the Best Practices section:
- The information in the enterprise directory should be
maintained as close to its original source as possible.
- The directory used for authentication and authorization should
not be open in the sense that a white pages directory would be.
Access should be controlled.
- Service providers' applications should not have direct access
to the authentication and authorization directory. Also, prompts
for passwords should not be inside directories. (This is a
particular problem for man of the off-the-shelf applications the
University purchases.)
Common Identity Attributes
The two documents describing common identity attributes for UCTrust and
InCommon were discussed.
- We will not quote InCommon attributes. Since InCommon
membership is a prerequisite to UCTrust membership, we already know
that UCTrust members will support InCommon attributes.
- The description of UCnetID will include more information about
representation, both internal (a 32-bit signed integer) and external
(whether leading zeros should be included). Jerry and Bruce will
research how UCnetID is currently transmitted in the uDir system, and
we will have UCTrust mimic that, albeit in an SAML/XML wrapper.
The 10/20/2004 Meeting Notes
My apologies for note distributing notes after our last call while I
was at Educause. Bruce James, Brian Roode, Jacqueline Craig, Bob
Brandriff, David Wasley, Albert Wu, and David Walker attended. An
earlier draft of UC Trust:
University of California Identity Management Federation was
discussed:
- Should we describe a role for Internal Audit? We will refer
to common UC practice.
- We need to propose a governance structure.
- It will need to include CIOs and VCAs in some capacity.
- It should probably include both executive and administrative
arms.
- It will need to approve new members of UCTrust, as well as
establishing standards. We'll need to work though how members are
monitored for compliance; that may be Internal Audit's role.
- We agreed that we should say something about minimum encryption
strength for authentication when shared secrets are exchanged.
- We need some requirements for service providers to describe
appropriate use of identity attributes. UCTrust will not supplant
IS-3 and IS-10, however.
Next Call
The next call will be Wednesday, 11/17/2004:
Date
and Time: Wednesday, 11/17/2004, 9:00a-10:00a
Call-in Number: 866-740-1260
Access
Code: 9870500
David
Walker - 11/3/2004