CTAB Wed., Aug 14, 2019

 Attending

• Mary Catherine Martinez, InnoSoft (chair) 
• David Bantz, University of Alaska (vice chair) 
• Brett Bieber, University of Nebraska  
• Rachana Ananthakrishnan, Globus, University of Chicago 
• Brad Christ, Eastern Washington University 
• Eric Goodman, UCOP - TAC Representative to CTAB  
• Adam Lewenberg , Stanford  
• Jon Miner, University of Wisc - Madison 
• John Pfeifer, University of Maryland  
• Emily Eisbruch, Internet2  

Regrets

• Chris Whalen, Research Data and Communication Technologies 
• Chris Hable, University of Michigan
• John Hover, Brookhaven National Lab 
• Tom Barton, University Chicago and Internet2 
• Ann West, Internet2 
• Albert Wu, Internet2 

Action Items

• [AI] (MC and David) produce first draft of blog about BE V2 survey results by  next CTAB call   Aug 28
• [AI] Emily reach out to Dean about upcoming blog on BE V2 Survey results and deadline for inclusion in an InCommon newsletter (done, deadline is Aug. 23, 2019)

Discussion

• Baseline Expectations v2 survey response 
  • Received 86 responses
  • How to we publish results to the community? 
  • Decision:  publish a blog  summarizing the results  
  • [AI] (MC and David) produce first draft of blog about BE V2 survey results by  next CTAB call Aug 28
• Drafting Baseline v2 document and submit for community consensus
  • Do we have a request for other BE elements?
  • When do we produce the draft for community consensus? - goal is end of Sept
    • More about community consensus here: https://www.incommon.org/federation/community-consensus/
  • Proposed Schedule:
  •   Blog - end of Aug
  •   Draft of actual BE v2 doc- end of Sept
  •   Community consensus -  starts by Oct.
    
    
• BE v2 community consensus process:   
• Idea: smaller group(s) to write clear positions on what each of the elements mean - what it is, what it means to implementers, what it means to users, impact of
• implementation technology evolution has on how we phrase Baseline statements, etc. 
• Will need volunteers/conscripts to convene discussion; set deadline
• likely for subgroup and/or 8/30 discussion

• There is a need to clarify what CTAB really recommending in Baseline relative to “REFEDs MFA”
• What does support REFEDS MFA Profile mean for each party in Federation? https://wiki.refeds.org/display/PRO/MFA+Profile+FAQ
• Could follow up on the results from the survey. 

• https://spaces.at.internet2.edu/display/InCFederation/Research+and+Scholarship+Category
• In order to be in compliance with R&S, the institution does not need to release R&S for everyone on campus, just for some subset.
• There are FERPA and GDPR concerns about R&S at some campuses, on the part of registrars and some others
• There are many dept of education documents on FERPA and what is really required.
• If R&S is included in BE 2.0, how do we handle institutions that cannot comply due to policy?
  • There are a few campuses where a registrar or  privacy officer, refuses to release R&S across the board.
• Within BE v1, there is a  line for Service Providers about not misusing the attributes.
• https://www.incommon.org/federation/baseline-expectations-for-trust-in-federation/

• REFEDs MFA 
  • Requiring MFA as part of baseline does not mean you must implement MFA. But if you do, here is the  type of response required, and define that exactly. 
  • We should also explain “failure case”: If you don’t have MFA, what should the response be. 
    • The idea is NOT to  fail with an opaque or unexplained error
  • IDP must be configured a certain way to handle the REFEDs  MFA error case gracefully
  • EricG has been working on this issue at UCOP, for Shib IDPs, no cookbook for that yet
  • Discuss this more on next CTAB call 
• Should we include foreshadowing of BE v3, perhaps in the blog?
  
  
  
• R&S attributes being released by default as part of BE - likely for subgroup and/or 8/30 discussion

• Helpful to get to the bottom of the concerns about R&S,  loss of control is one concern.
• The question gets asked “what is legal recourse?”  In fact there is no legal recourse, but the risk is small. 
• Find out what could be added to SIRTFI to make the next step successful
• An argument for including R&S in baseline v2 could be to motivate a more meaningful discussion
• SPs are in favor of R&S, and this was heard in the work of the Attributes for Collaboration and Federation WG.  http://doi.org/10.26869/TI.101.1
• R&S, or other attribute release, includes the value of the InCommon Federation.
• Currently there is a need for a lot of one-off attribute release to individual Service Providers
• With rise of Web AUTHN and FIDO, credentials will become less of a big deal
• In that environment, Value of IDPs could decrease
• Without R&S, there will be workarounds, not involving InCommon, including social media and other less secure approaches
• The role of consent is important in the discussion also

• Update on  SIRTFI/CTAB taskforce on issues of metadata freshness/accuracy:  a meeting has been scheduled
• Proposal was: SIRTFI and CTAB work together on exploring these issues of accurate, fresh metadata, for SIRTFI and then take the learnings to other federations to make this a global issue. 
• Volunteers  are David Bantz , ChrisW, Albert, ScottK and TomB
• Albert will convene the group

Next CTAB call: Aug. 28, 2019