CACTI Call, Tuesday, August 3, 2021
Attending
Members
- Rob Carter, Duke, (Chair)
- Les LaCroix, Carleton College (Vice-Chair)
- John Bradley, Independent
- Matthew Economou, InCommon TAC Representative to CACTI
- Stoney Gan, University of South Florida
- Michael Grady, Unicon
- Kevin Hickey, Detroit Mercy
- Barry Johnson, Clemson
- Chris Phillips, CANARIE
- Bill Thompson, Lafayette College
Internet2
- Steve Zoppi
- Netta Caligari
- Nicole Roy
- Emily Eisbruch
Regrets
- Marina Adomeit, SUNET
- Margaret Cullen, Painless Security
- Joshua Drake, Indiana University's Center for Applied Cybersecurity Research
- Marina Krenz, REN-ISAC
- Jeremy Perkins, Instructure
- Kevin Morooney, Internet2
- Ann West, Internet2
Action item review
Action item from Aug 3, 2021
- AI Rob -- reach out to JohnB and Shilen about the U2F issue
Action item from July 20, 2021
- AI Rob, Les and Nicole - work on putting structure around the discussion of CACTI Spheres of Influence
Action item from March 30, 2021
- AI - Rob and Les - slot the user centric identity topic into a future CACTI agenda
Action item from March 16, 2021
- AI - Rob reach out to the CACTI email list to start to gather contacts and use cases for upcoming discussions around OIDC.
Note well:
- Internet2 Intellectual Property Agreement reminder
- CACTI Charter pointer
Discussion
BaseCAMP retrospective
- BaseCAMP was held July 12- 16, 2021 online
- Les: Geared at people at start of IAM journey or retooling
- 50% new people in the crowd. They had a lot of support from more experienced participants
- There were a few deep dives that may not have been approachable to beginners
- BaseCAMP started w Tom Jordan (UWisc Madison) providing intro to the basics
- The presentations on hierarchy of Devops and maturity levels were especially good
- Matthew: BaseCAMP did an excellent job of onboarding new people to our social contract
- Much welcoming and encouragement
- This community is good at engaging with folks who have questions
- Some far-ranging discussions after the official presentations
- Comment: wish there had been even more activity on REMO
- A lot of material to cover in 20 hours
- Presenters did a good job with timing
- BaseCAMP is a good lead-in to CAMP and ACAMP
- Materials from BaseCAMP
- Material is available in the Canvas environment to look back at, for attendees
- How to get the additional community access to some of the info?
- Nicole: there are free resources, including IAM Online, and much info on the wiki
- The community helps plan the conferences, through program committees
- Question: Release some of the info from BaseCAMP publicly?
- Use a model where the slide content is available through a subscription process for those who can’t attend the event?
Community update: Matthew Economou - supply chain
Software Supply Chain - CACTI.pptx
- Software supply chain from consumer standpoint
- Integrator viewpoint
- Once I launch containers, now what?
- Value on stability
- What is the source of the container?
- Building from source code
- Chain of dependencies
- Dockerhub
- Official images are pretty good
- EXAMPLES
- Tomcat
- Many versions are supported
- Images are built frequently
- From client/ server world
- Official Amazon images are built monthly
- Good release cadence
- Centos 7
- Looks like its 6 months out of date
- They only build images for their latest release, which was 6 months ago
- Need to run updates in container build passes
- Open source project with resource constraints
- Another container (to remain anonymous)
- Container not supported for production use, only intended to be tech demo
- You should build your own from scratch
- Tomcat
- Some patching post deployment may be required
- Sometimes standards and practices are not well documented
- Scan for vulnerabilities, for both open source and commercial
- When containers are built, there is a container image registry
- Amazon ECR, and also InCommon use Clair
- There is also Harbor
- Can flip a switch at install to use Trivy, to trigger a scan
- Look at the source of the containers to be sure they are doing signature checks for upstream code
- It is helpful to have many image tags to pull from to give deployers options who have different risk appetites
- (e.g., some might want to deploy a particular build, while others are comfortable staying up to date within a major version)
- Find vulnerabilities, but not all are pertinent, may need an engineer to interpret scan results
- Comments and Next steps:
- great overview, thanks Matthew
- Where should the conversation go next?
- Matthew: missing large parts of what is needed, have on traditional server side but missing on container side,
- Different tooling
- Potential for community focused working group looking at these issues, coming out of IAM Online on secrets management
Deprecation of U2F support (John B)
- Google intends to deprecate U2F support in Chrome in the next few months.
- There was a U2F plugin for IDP 3
- There is a WebAuthn version of that now
- How to inform those who may be impacted?
- Duke code was WebAuthN based
- Our plugin is the go to for U2F
- Should we send this info to Shib user list ?
- U2F Javascript API will stop working
- Server to browser part is impacted
- AI Rob -- reach out to JohnB and Shilen P (from Duke) about the U2F issue
- There is a migration path, we need to get the info out there
- We can direct people to Shilen’s code
- ChrisP: this dovetails w supply chain discussion. U2F, Duo changing iframe… there is a notification/communications gap that CACTI can help with
- When CACTI returns to topic about CACTI engagement with other groups, this is relevant. How we notify other groups of important info.
IAM Online (Rob)
- August 11, 2021 at 2pm ET
- Secrets, Supply Chains, and Securing Trust in the New Normal
- https://incommon.org/academy/webinars/
- Rob provided walk through of the Slides
- Will there be live polls during the IAM online?
- May not be possible for this IAM Online due to logistics (some key staff on vacation)
For a future CACTI call:
CACTI “Spheres of Influence” inventory and gap analysis (suggested by Kevin Morooney on June 21 call) (roughly 30 minutes)