CTAB Wed. Dec. 18, 2019


  • Mary Catherine Martinez, InnoSoft (chair) 
  • David Bantz, University of Alaska (vice chair)
  • Brett Bieber, University of Nebraska
  • Tom Barton, University Chicago and Internet2 
  • Brad Christ, Eastern Washington University, InCommon Steering Reprientative to CTAB 
  • John Pfeifer, University of Maryland  
  • Chris Whalen, Research Data and Communication Technologies 
  • Ann West, Internet2 
  • Albert Wu, Internet2 
  • Emily Eisbruch, Internet2 
  • Jessica Coltrin, Internet2 

New CTAB Members for 2020

  • Pål Axelsson, SUNET 

  • Ercan Elibol, Florida Polytechnic University 

  • Richard Frovarp,  North Dakota State 

  • Robert Zybeck, Portland Community College 


    • Rachana Ananthakrishnan, Globus, University of Chicago  
    • Eric Goodman, UCOP - TAC Representative to CTAB 
    • Chris Hable, University of Michigan
    • John Hover, Brookhaven National Lab 
    • Adam Lewenberg , Stanford  
    • Jon Miner, University of Wisc - Madison
    • Jule Ziegler,  Leibniz Supercomputing Centre (new CTAB member as of 2020)


Introductions and welcome to new CTAB members

Officer election reminder

    • Ballots for the officer election went out via email Dec 18, 2020 

Recap of CTAB activities at 2019 TechEx in New Orleans


  • There was an interesting notion of a shim or broker or bridge  so potential IDPs that would not support all 5 of these components could still be in the InCommon Federation
  • It was noted that R&S and REFEDs MFA may require technical abilities that are missing from Okta and other IAM frameworks.  
  • Could use IDP as a service as bridge option 

  • R&S discussion was interesting, it’s perceived as a general release of attributes to any SP
    • Actually R&S it is a targeted release from scientific faculty to certain research SPs

 Suggested Next Steps

  • For BE 2020, we should communicate the items that are part of BE 2020, and also the items that are coming down the road
  • It will be important to have  a have  a clear timeline for TLS, Error URL and SIRTFI  and anticipated timeline for supporting REFEDS MFA and R&S attribute bundle, pending addressing technical barriers to support
  • For R&S attribute bundle and for MFA signaling, we might say, we want those to be in place for 2021 and here is what must be in place. 
    • This way organizations will know how to prepare
  • Question: has impact assessment been done on the proposed BE 2020 items?
  • Answer: we may lack the data needed for an impact assessment for the proposed BE 2020 items
  • Q: Can  a risk analysis be done, explaining the risk to the federation if we don’t do Error URL, for example?
  • It was suggested that we should explain that govt SPs are requiring SSL" grade of 'A' from SSLLabs scan tool
  • This indicates it’s a real requirement
  • It was noted that for BE items focused on security,  looking at risk is very important.
  •  Shannon Roddy, Security Lead on the Internet2 staff, is looking at SSL Labs data
    • Vast majority have an A grade
    • there is also an A plus score not shown on Shannon’s graph
    • Note that requirements/grading will change and in 2020 there may be an increased number of Bs
  • Risk assessment can help illustrate why CTAB suggests  put items into Baseline Expectations versus make it a best practice. 
  • Albert will check with Shannon and NickR around the amount of effort to do risk assessment.
  • Risk assessment should be doable for Error URL and TLS 1
  • Would be helpful if risk assessment would identify risks to both SPs and IDPs
  • Service Provider considerations
    •  SP best practices around Error URL will be important
    • Perhaps CTAB should charter a working group to work with SPs to sort out Error URL
  • Recurring aspects to the current BE requirements 
    • Interesting to think about the recurring aspects to the current BE requirements.
    • Albert: InCommon federation plans to do recurring checks on metadata

Summary of the proposed new items for BE 2020

  • TLS 1.2 
    • refers to web communication to  SP and IDP endpoints 
    • Some Encryption suites used inside the TLS protocol are insecure
    • Want to be sure good practice is being followed
    • Could check on this using SSL labs 
    • Framework to communicate about potential security incidents
    • BE would be a self assertion of compliance w SIRTFI framework
    • Url listed in IdP metadata 
    • SP refers user when insufficient attributes are in the SAML assertion
    • And attempt to fix a problem identified by an SP
  • R&S attribute bundle
    • For use with scientific SPs 
  • Signaling to request REFEDs MFA (multi factor auth)

CTAB Meeting schedule for 2020

    • Need to schedule CTAB calls to accommodate time zones from Alaska to Sweden
    • Current CTAB meeting time is biweekly Wednesdays at 4pm ET
    • AI Albert send  doodle poll to determine the best CTAB meeting  time 

Next CTAB call TBD based on results of Doodle Poll



  • No labels