Single Sign-on/Network Authentication Working Group

Minutes of meeting held September 27 1994.
Send omissions/corrections in summary to the group.

ATTENDING.

        Emily Batista, Norm Morrison, Alex Garthwaite, Lila Shapiro,
        Tom McAleer, Grover McKenzie, Mark Litwack and Jim Johnson.

MEETING SUMMARY

Norm will post a summary of the current username analysis statistics to
the group.  He is awaiting a file of usernames from Wharton to complete
the initial phase of username analysis.

The group discussed at length an outline of the steps required to carry
out the merging of existing username space using PAS as the control
mechanism, while causing the least possible disruption to all involved.

        1.  Complete the gathering and analysis of username data.  This
        will involve doing an exhaustive study of existing usernames on hosts
        in the upenn.edu domain, that will show where   conflicts exist between
        hosts, and with Network ID's currently  assigned in PAS.
        2.  Reserve in bulk, PAS Network ID's using existing usernames
        assigned in local hosts.  Constraints are: (a.)  PENN ID does not
        currently exist in PAS, and (b.) the username would result in a
        unique PAS Network ID.
        3.  Roll out the PAS API to SYSADMINS.  This is needed to limit
        the future creation of usernames that would not result in unique
        PAS Network ID's.
        4.  On a regular interval, re-execute step 2, to reserve PAS
        Network Id's for new usernames created on local hosts.
        5.  Eliminate PAS Network ID and host username conflicts.
                a.  Resolve conflicts between hosts where the same
                username is held by more than one PENN ID.
                b.  Where a PENN ID has a single host username, make
                the PAS Network ID equal to the username.(If unique!)
                c.  Where a PENN ID has multiple host usernames,
                consolidate to one username, make the consolidated username
                equal to the PAS Network ID.(If unique!)
                d.  Standardize existing PAS Network ID's to new
                format, length, and valid values.
        6. Communicate effectively with organizations and individuals
        when PAS Network ID's and host usernames require changes.
        7. Populate Kerberos server with PAS data.

It's understood that as more information becomes available from name
space analysis, the approach will need to be revisited.

The group agreed that a reasonable compromise on the debate of system
assigned Network ID vs. the user selected Network ID's is to:

        - Allow existing unique Network ID's to remain as they are if
        they conform to new standard for format, length, valid values.
        - Allow new users to select a unique username from a list of
        computer generated choices.
        - Once assigned as a Network ID in PAS, a username will not be
        reused. This will eliminate the need for a potentially messy
        synchronization of reassigned Network ID's in PAS, with usernames
        on hosts across campus.
        - Make PAS capable of generating unique Network
        ID/username choices.  Local SYSADMINS may develop alternate
        algorithms for generating usernames, but, still must use PAS API's to
        ensure the username will result in a unique Network ID

Matters requiring further discussion.

        -  How to handle organizational entities like departments
        and work groups that require representation in PAS, but do not have a
        PENN ID.
        - How to handle people represented in PAS, who have no PENN ID.
        - Approval needed on username standard (i.e., format, length,
        valid values and assignment methodology).
        - Approval needed on conflict resolution strategy (i.e.,
        resolving duplicate username conflicts using a preference hierarchy
        such as Faculty, Staff, Student).

ACTION ITEMS
---------------

Norm Morrision - continue to collect and analyze username space statistics.
Mark Litwack - follow-up with Chris Shull on host for Kerberos testing.
Mark Litwack - obtain more "overview type"  materials on Kerberos for the
group.  Check with Chris Shull to see if an overview of Kerberos will be
included in his DCE class.
Andrew White - Ask SAS administrators for their rationale on why they
adopted a highly personal form of username.
Jim Johnson - compile a comprehensive list of hosts in the upenn.edu domain.

NEXT MEETING
---------------
Oct. 4 in the UDC conference room, at the 1:00pm.

Topics:

Update on username statistics.
Update on status of host for Kerberos testing.