Higher Ed Requirements Update 19 August 2004

This page has notes from one segment of the CSG meeting of 19 August 2004, where Jack McCreadie and Oren Sreebny led. They had the action item to distill information from CSG universities about how higher ed requirements have changed in the past eighteen months. Oren lead the discussion today by saying that he got very few responses, so in some sense not much has changed. There were, however a few things that he reported came up over and over again. Oren mentioned:

• Shibboleth is coming along far faster than was anticipated or hoped. It's obvious now that it's going to play a big role.
• Multiple event calendars has increased significance.

Paul Hill chimed in that managed updates are much more important.

Jack McCredie hears from his "CIO" peers that open source projects have taken off much more than they expected, e.g. the SAKAI project. Editor's note: While Jack didn't specifically say so, I think he meant University-based collaborative efforts leading to open source products.

Jack also mentioned -- and this was strongly echoed by others in the room -- that it was "impossible to overstate the importance of security". The nature of it hasn't changed, but the overall awareness of security is far higher. Not only did people report that users are less inclined to click on any random thing, but that there is a general awareness of the need for security and acceptance of security measures. For example, UC Berkeley just passed a minimum security standards document at the campus level that would have been unheard of 18 months ago.

Someone observed that security concerns now are more about managing code and boxes instead of sending passwords in the clear. There is much more inclination among Windows users towards greater management of the desktops, with controlled updates/downloads/installs. (Unix users are actually moving away from managed desktop to a more self-management system.) They also mentioned that there is a trend away from departmental servers and towards centralization of computing resources.

Oren Sreebny mentioned that there is enormously increased involvement from campus legal departments around security issues. At UW, for example, that has a hospital, they now need to ensure things like end-to-end encryption for email and patient information.

Michael Gettes mentioned that they were seeing a little bit of motion away from Microsoft in favor of Linux.

For Chandler, they made the request that we

• build in an auto-updating feature into Chandler
• provide hooks for third-party developers to be able to easily provide auto-updating as well
• let users see whether an update is security-related or just more bells and whistles

Jack noted that wireless and PDAs were of increasing importance. Mitch responded that our to-be-hired product marketing manager will devote a lot of attention to this kind of interoperability issue.

Mark Franklin noted that email viruses and spam were a huge problem. Mitch said that he felt that it would be better for Chandler to use the best spam and antivirus tools out there instead of trying to roll our own.

Michael Gettes talked about event calendars; that there are complexities around how to represent the data visually, how to subscribe/unsubscribe to calendars "in the wild" (i.e. off-campus), and how to interact with other enterprises. (For example, Duke shares schedules with the other two local universities.)

As an aside, Michael mentioned that while event calendars are a problem for all enterprises, universities seem to be best at articulating what they need.

Bob Morgen expressed disappointment in Microsoft's calendaring. While he'd like to see separating calendar and email, Microsoft is integrating them more tightly. Somebody noted that there were still choruses at his campus that ask in frustration, "why can't we just all standardize on Outlook/Exchange for our campus calendar?"

Shibboleth

Bob Morgan gave an update on Shibboleth: its code base has become pretty mature on both sides (Editor's note: "both" = client and server, I assume.) Information vendors are working with the Shibboleth project. The Internet2 federation of US universities is almost ready to go -- legal stuff is getting hashed out now -- and they expect policies and pricing to be ready really soon now.

There are several Shibboleth federations in other countries -- Bob mentioned Switzerland, the UK, and Finland.

The biggest activity right now is getting the SAML 2.0 standard implemented. There are some new technical features of protocols that have been implemented, including some good stuff from the Liberty Alliance. While people are busily working on SAML 2.0 implementation, it will be many months before it'll be in production services.

His recomendations for Chandler:

• inter-organization interoperation is now becoming much more real, even if it's in technically limited browser-based stuff
• Does it extend? They are working on extending SAML into other protocols, e.g. VOIP or videoconferencing.
• He had a lot of concerns about WebDAV, particularly around browser redirection. (Mitch deferred, asking Bob to talk to LisaDusseault.)

Chao asked what applications used Shibboleth; Bob said that right now it was just browsers. However, SAML is a set of layers, and once it gets widely deployed, he expects that people will try to leverage it.

Flagged for followup

• Security around scripting, parcels, updates, downloads, and installs
• Campus event calendaring (Pieter is arranging to talk to Jeff McCullough and/or Michael Gettes)

-- DuckySherwood - 19 Aug 2004

• Someone (I'm terrible with names) was concerned that we do not do a better job at code reviews. I pointed out that things have improved (in last WAG meeting we did not do any code reviews), but we fully understand we need to do a better job at code reviews and other security-related processes.
• Bridge CA support is going to play a role. There was nothing mentioned about this in the original requirements. Sun is working on bridge CA support for OpenSSL and NSS (see libpkix), but the schedule with current resources looks like they will be finished in the summer or 2006, which might be too late. We need to make sure that it gets finished in time. Adding another full time developer to the libpkix project could halve the development time.
• ChaoLam: Heikki, I think the issue is also that CSG is still mixed about how much to support end-user public keys. Most universities have not endorsed public keys as a central IT infrastructure (e.g. for authentication) yet and it's unclear whether some will ever.

-- HeikkiToivonen - 21 Aug 2004