CTAB Tuesday April 21, 2020
- David Bantz, University of Alaska (chair)
- Mary Catherine Martinez, InnoSoft (vice chair)
- Brett Bieber, University of Nebraska
- Rachana Ananthakrishnan, Globus, University of Chicago
- Tom Barton, University Chicago and Internet2, ex-officio
Ercan Elibol, Florida Polytechnic University
Richard Frovarp, North Dakota State
- Eric Goodman, UCOP - TAC Representative to CTAB
- Jon Miner, University of Wisc - Madison
- John Pfeifer, University of Maryland
- Marc Wallman, North Dakota State University, InCommon Steering Rep, ex-officio
- Chris Whalen, Research Data and Communication Technologies
- Kevin Morooney, Internet2,
- Ann West, Internet2
- Albert Wu, Internet2
- Emily Eisbruch, Internet2
- Jessica Fink, Internet2
- Pål Axelsson, SUNET
- Chris Hable, University of Michigan
Jule Ziegler, Leibniz Supercomputing Centre
- Robert Zybeck, Portland Community College
Update on Action Item from last call
- David Bantz invited Heather Flanagan to join a future CTAB call to provide updates on Seamless Access, Entity Attribute working group, and Edupersonaffiliation work https://seamlessaccess.org/about/community/
Baseline Expectations v2
Are we ready to renew work with the community on Baseline Expectations v2? See blog from March 17, 2020
This work was paused on March 30, 2020 with email from Ann West to the InCommon Participants email list.
- On the EDUCAUSE CIO email list, people are still consumed with issues related to the COVID-19 crisis, including:
- move to online teaching and learning,
- connectivity for all stakeholders
- Budget Issues, loss of income from many sources including housing students on campus
- Call to simplify (e.g., via supporting REFEDS R&S) was effective
- Office hours for REFEDs R&S have been a good idea
- IT departments are key to preserving enrollment as teaching and learning goes online
- There may be some staff who could engage around BE v2
- Items in BE V2 (especially TLS and SIRTFI) are important for the collaborations that are so crucial now
- movement forward on BEv2 will help campuses with how to do collaboration
- Albert: changes in the proposed updates in BE v2 focus on the service providers
- Following TLS 1.2 is key
- Should not be too hard for IDPs to meet TLS 1.2, but if Service Providers can't meet TLS 1.2, it's a challenge for federations and IdPs whose users depend on the services
- Concern there are operators that trust TLS to identify the IDP (as compared to relying on current InCommon metadata), or trust the TLS security to secure the SAML information. (Just because the channel is encrypted does not mean you have message level security)
- Trying to get commercial service providers to understand encrypted assertions can be hard. So encrypting the transport (TLS) is probably more realistic
- CTAB will need to look at the work required from CTAB to restart the BE v2 community consensus
- Could CTAB host ongoing office hours to help participants adopt best practices:
https endpoints or
- Most recent office hours on R&S had no visitors
- Still there might be visitors to office hours around SIRTFI, https endpoints
- There are now 14 subscribers on the community consensus email list
- Suggestion to do more targeted outreach to get more community members involved
- Gather participants in the community consensus process from other Trust and Identity advisory committees?
- AnnW: frame communications in light of the current situation, providing more context
- Need a multiple pronged approach
- Explain exactly what is enabled by these best practices, tell a before and after story, rather than talking in the abstract
- Kevin: sharing stories is important, and we can pace out the steps towards getting the community re-engaged with BE v2
- Reach out to CIOs CTOs, AVP for enterprise infrastructure, people on the InCommon participants list and InCommon Exec list
- Next Step:
AI Brett draft a proposed email note about restarting Community Consensus process, mention things that are even more important now, including announcing office hours
- suggestion to hold BE v2 office hours at same time as CTAB call
Updates from related working groups/committeeS
- REFEDS Baseline Expectations Working Group
- This group has completed first phase.
- Went thru InCommon high level expectation statements.
- Considered each in length.
- Decided in each case the expectations are about right.
- Some tweaking is needed to produce REFEDs version.
- Pal and co chair Alan Buxey are drafting a proposal.
- After that draft is reviewed, next step is talk about process and policies .
- Looking at what are roles in making federation happen at global level.
- REFEDS Best Practices around Error Handling
- REFEDS errorURL WG - how would it work? Relation to SWITCH work*? (Pål)
REFEDS Consultation, https://wiki.refeds.org/display/CON/Consultation%3A+Error+Handling
Detailed proposal is out for consultation - https://docs.google.com/document/d/1FQh2SLuxFlF4g9ARvMnXZxOlq4o4NXnNPJnRaC0ic6g/edit#heading=h.vhvyr0cxfuxz
- 4 canonical types of errors
- REFEDS Assurance (the MFA/SFA entity category discussion) https://wiki.refeds.org/display/GROUPS/Assurance+Working+Group
- REFEDS R&S (following challenge from Nicole Harris) See the challenge in this link.
a) a completely jargon free explanation of REFEDS R&S and
b) simple overview with some technical direction for IT departments
- KevinM shared some ideas on recent REFEDs call
- Regarding language we use to talk about attribute release
- Can be hard to explain to Internet2 Board what is REFEDs and R&S, or attribute release or entity category,
- Need to talk about supporting this REFEDs R&S capability in a way that makes sense to people who are not IdM experts
- There are 2 or 3 layers of bad vocabulary when it comes to explaining to non IDM people
- “Release” sounds like letting go of something that won’t return, which is scary to registrars and others
- Also need new term for “Entity category”
- Eric used 8 slide powerpoint to help explain
- Possible message that seemed to work recently: Research collaborations are plugging into this collab infrastructure. If more universities plug in, then good things will happen for those research collaborations. Call it a collaboration connector.
- Look at example of the network. People know what it does, most people don’t understand the details.
- Look at explaining DDOS and DNS, it’s do-able to explain those
- Need to talk about the things you must do to become collaboration ready
- user experience and security are the broad topics to talk about with CIOs
- don't talk to CIOs about attribute release
- Concern about REFEDs R&S work is the deprecation of edupersontargetedID
- need to remain backwards compatible
- need good change management procedures across the federations
Next CTAB Call: Wed. May 5, 2020