This page was for GN5-1 and is now outdated. Please go to the GN5-2 page! TII call for Ideas
This page collects proposals for future Incubator activities. Anyone may add a new idea by adding a new row to the table below.
Ideas don't need to be fully formed but the more scope we can get the easier it will be to assess whether the idea should be taken forward.
Anything in the Trust and Identity space is of interest, from improvements to current services to brand new ideas and technologies.
If you like an existing idea you can just add a +1 for endorsement. The more supporters a proposal gets the more likely it is to be implemented.
Example from a previous cycle
| Title | Proposer | Description | Supporter (+1) | 
|---|---|---|---|
| Self service - Signing in activity | Janusz Ulanowski (HEAnet CLG) | Service which could allow an user to check signing in activity on IdP service. That would allow an user to check the recent activity on his account in regards of authentication. Users could see the list if authentications containing datetime, ip and relying party etc. That would help them to spot suspicious activity. After discussion in the Incubator board, the proposal for the Incubator is inspired by the above proposal, but with a slight difference: Setting up a service as proposed originally is rather challenging as that service would have to learn about a lot of personal data. However, 'account activity', deployed as part of an IdP extension would actually improve privacy and GDPR compliance of e.g. SimpleSamlPHP and Shibboleth.  Both SimpleSamlPHP and Shibboleth as well as also support the OIDC protocol. A 'profile page' should also allow an end user to manage and revoke OIDC access. | Janos Mohacsi: it would be advantageous to have a standardised log format to all popular IdPs. Then these logs should be dumped to ELK or similar server. The log collection server should provide a restricted access to the logs of a particular users. Mihály Héder: I think an Audit Log self-service is an interesting functionality. Account activity is available in many commercial accounts, certainly the googles and the microsofts of the world. We should keep up - also not only the IdP Audit Log but the SP is relevant. | 
Proposals:
Proposal details:
Topic submission deadline
The Call for Ideas for the next cycle starting in May is still open.
The submission deadline for the next cycle is 08 April 2024.
| Title | Proposer | Description | Supporter (+1) | 
|---|---|---|---|
| Investigate Google WEI & Apple Private Access Tokens | Mihály Héder (KIFÜ/SZTAKI) | Google Web Environment Integrity is a method for websites to verify that the client platform (User Agent a.k.a. browser + operating system) is indeed genuine and has not been "tampered with". https://github.com/RupertBenWiser/Web-Environment-Integrity/blob/main/explainer.md The proposal has received strong criticism, the interlocutors mostly claim that it is just a harmful way of achieving DRM. For a summary, see the Wikipedia entry: https://en.wikipedia.org/wiki/Web_Environment_Integrity The insight of the CEO of Vivaldi browser is especially interesting: they apparently already need to spoof the user agent string in order to be able to use Google Docs, despite the fact that Vivaldi is based on chromium. https://www.theregister.com/2023/07/27/google_web_environment_integrity/ By the proposers it is purported to be a replacement of browser fingerprint-based anti abuse methods. They also claim that it is a better alternative than Apple's Similar Private Access tokens, another attestation scheme that works between Apple devices and Cloudflare. They also claim in defense of WEI that they may help sunsetting the increasingly useless CAPTCHAs. WEI is already supported by Chrome on Android. The proposal is to explore, try out WEI and write a report for the community. Perhaps the timing of this proposed activity is also a strategic concern - if the WEI proposal will have no good reception then there is no point in wasting resources on it, but if it there is uptake then we should reac. | Janos Mohacsi (KIFÜ) | 
| Scalable, interoperable revocation | Stefan Liström (SUNET) | Revocation is not only a mandatory privacy enhancing feature for endusers, it is also a core security feature. Both use cases for revocation need to be implemented in a future EUDI wallet ecosystem. There is currently however no clear solution for interoperable, scalable revocation in the EUDI. This activity investigates and describes the possible approaches for scalable, interoperable ways to handle revocation. The activity should try to test at least two of the approaches with respect to requirements on scalability and interoperability as may needed for the EUDI | Marina Adomeit (SUNET) | 
| Passkey registration to User Profile Page (Shibboleth) | Janne Lauros (CSC) | This proposal is continuation to earlier incubator work where User Profile Page for Shibboleth was implemented as means for the user to view the available user data and the tokens issued on behalf of user (https://github.com/GEANT/shib-idp-profile). Shibboleth project is working on WebAuthn authentication flow and has define the scope for the Passkey management as "The inbuilt flow represents the minimum viable product for implementing such a feature. In the future other plugins may provide this functionality". We propose following task for the next Incubator Cycle to provide additional features for Passkey maangement 
 | Timo Tunturi (Aalto Uni) Mihály Héder (SZTAKI) | 
| eduGAIN PoC | Davide Vaghetti (GARR/IDEM & eduGAIN), Niels van Dijk (SURF) | The eduGAIN service activity will set up a POC in order to evaluate the new OpenID Federation (OIDfed) standard and wants to eventually create an official eduGAIN Technology Profile to extend the current service. The Trust and Identity Incubator has over the years build considerable experience with developing tooling, and implementing OpenID Fed in various products and languages, as well as evaluating e.g. REFEDs specifications in the context of OIDfed. This activity seeks to contribute to the eduGAIN PoC by: 
 The incubator will work on these in close collaboration with the eduGAIN PoC team. | |
| Implement OpenID Federation into SimpleSAMLphp and Shibboleth IdP | SCRE, CSC, Niels van Dijk, SURF | Related to the above eduGAIN OpenID Federation Pilot, we would like to add OpenID Federation capabiliteis to Commonly used software in our ecosystem. This activity will complete the work on implementing OpenID Federation into SimpleSAMLphp, as well as start with an implementation for Shibboleth IdP. | |
| Automatic collection of Verifiable Academic Efforts | Mihály Héder (HUN-REN) | Academic Track Record is the primary source for establishing trust between collaborators that don't know each other.  In such events, the researchers are left to check to past affiliations of each other, look for collaborators they shared, see what impactful conference or journal paper the other appeared in, see if the other supervised or reviewed PhDs, postgrads in relevant topics. Hence, a semi-formalized trust chain in established. In order to establish more trust in a researcher account in an academic collaborations, there are several automated actions an AAI platform can take. Commercial (Academia.edu, researchergate, google scholar) and community-owned (ORCID) initiatives already perform very basic collection of information (scraping crossref metadata (DOI)-s and the web). These methods could be much enhanced with more assured information that we have in the Research and Education space and could enrich an institutional or a MyAccessID account, for example. Several parts of this concept has been proven and demonstrated by the various science social networks, like Academia.edu and ResearchGate, who, as soon as a publication appears with a DOI. This is done by regularly scraping the related database, and the same happens for citations. This very often happens with matching of name strings, in lack of better curated attributes in the crossref metadata and results in mis-attributed data. However, other, equally important elements of the record - peer reviews in and efforts service of science, like PhD defense committee membership, and altmetrics (contribution to research software, instruments; confirmed reader counts) are overlooked and the technology for that is only an idea at this moment. A) arXiv API+ORCID: in possession of a verified ORCID, the arXiv API can be queried for articles written by an author: Trust: high arXiv was originally created for physics and is still dominant on that field. Output DOI+publishing place B) Crossref API+ORCID In the crossref JSON metadata, ORCID is present, if it was known 
 C) DBLP+ORCID on DBLP is possible to search by ORCID D) email based matching E) name based matching trust: low F) Consuming Verifiable Credentials | |
| SeamlessAccess with OIDFed Support | Zacharias Törnblom | Primary goal: show OIDC OPs the same way as SAML IdPs - in synergy with the eduGAIN OIDFed PoC project. Secondary goal: use credentials to persist the choice of home organization. | 
