CTAB Wed. Oct. 23, 2019

Attending

• Mary Catherine Martinez, InnoSoft (chair) 
• David Bantz, University of Alaska (vice chair)  
• Brett Bieber, University of Nebraska 
• Rachana Ananthakrishnan, Globus, University of Chicago 
• Tom Barton, University Chicago and Internet2  
• Brad Christ, Eastern Washington University  
• Eric Goodman, UCOP - TAC Representative to CTAB  
• Jon Miner, University of Wisc - Madison  
• John Pfeifer, University of Maryland 
• Chris Whalen, Research Data and Communication Technologies 
• Ann West, Internet2 
• Albert Wu, Internet2 
• Emily Eisbruch, Internet2 

Regrets

• Chris Hable, University of Michigan
• John Hover, Brookhaven National Lab  
• Adam Lewenberg, Stanford  

New Action Items from this call

• AI (Albert) email CTAB about reviewing the two OWASP cheatsheets as a way to help clarify the proposed Baseline Expectations 2020 Statement - All SP service endpoints must be secured with current, supported, unbroken transport layer encryption.
  
• https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html
• https://cheatsheetseries.owasp.org/cheatsheets/TLS_Cipher_String_Cheat_Sheet.html

•    AI  (MC, Brett and David) reach out to  those CTAB nominees who listed CTAB as 1st choice to schedule a discussion.  
     MC will Slack with Brett and David to coordinate. Mention to the nominees the requirement to get Steering approval for slate of candidates, so the process is understood

Pre-reads and materials of interest:

• International (REFEDS/eduGAIN) Baseline Expectations WG: https://wiki.refeds.org/display/ASS/Baseline+Expectations

Discussion

CTAB membership nomination - review nominations (20 minutes) (MC)  

• 7 nominees total
• 2  from same institution 
• There should be 7-13 members of CTAB, according to the CTAB charter
• Currently there are 10 voting members of CTAB
•  JohnH , Brookhaven, and AdamL, Stanford, have indicated that they will not continue as CTAB members, creating two additional open positions on CTAB  
• Could potentially bring on 5 new CTAB members, with reappointment of ChrisW

• May want to recruit someone from a National Lab
• TomB: would be good to have additional international CTAB members who are involved in international baseline expectations work

• Decision: hold a preliminary conversation with those nominees who listed CTAB as 1st choice.
• Rachana thought conversations with TomB, Brett, and MC  prior to joining CTAB were helpful when she was asked to join CTAB
• AI   (MC, Brett and David) will reach out to  those nominees who listed CTAB as 1st choice to schedule a discussion.   MC will Slack with Brett and David to coordinate. Mention to the nominees the need to get Steering approval for slate of candidates, so the process is understood
  
  
•  Plan is that Wed. Dec. 18, 2019 will be a CTAB call including the new members.
  
  

BE 2020: review companion wiki doc / “FAQ”? 
 

• What else needs to be done to ready materials for BE 2020 community consensus?
• There is a working draft of an FAQ.  Plan is that it will be published on the InCommon website as a companion to the BE material
•  There is a chance that once the community examines the proposed BE 2020 statements, for example around error URL,  more clarity will be required.
• There is  concern regarding this proposed BE statement ( difficult for an organization to be  sure it is in compliance):
  Statement - All SP service endpoints must be secured with current, supported, unbroken transport layer encryption.
• DavidB has looked into this for U of Alaska. There are not a lot of options in the approaches
  • Eric: Everyone deals with this in their local environment, it’s related to SIRTFI, 
  • hard to tie down to one specific metric, regarding how many versions back. 
  • It’s always nice to have specifics, but if it’s  tough 
• Suggestion to use OWASP materials / wording to tweak this
• Each CTAB member should each read thru the  OWASP cheatsheets:
• https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html
• https://cheatsheetseries.owasp.org/cheatsheets/TLS_Cipher_String_Cheat_Sheet.html
• Question on how often the OWASP cheat sheet documents are updated. Issue of drifting changes
• AI Albert email CTAB about reviewing the two OWASP cheatsheets (done)
• Plan is that Tech Ex will be used for last round of feedback from community  on BE 2020 plan prior to moving into community consensus
• See the two CTAB Tech Ex 2019 sessions listed below

TechEx 2019 planning 

• Combined federation / CTAB update on Tuesday Dec 10, 2019
• Open CTAB meeting on Wed Dec 11, 2019
  https://meetings.internet2.edu/2019-technology-exchange/detail/10005609/
• Possible ACAMP topic?

Next CTAB call: Wed. Nov 6, 2019