Attending
- David Bantz, University of Alaska (chair)
- Mary Catherine Martinez, InnoSoft (vice chair)
- Brett Bieber, University of Nebraska
- Rachana Ananthakrishnan, Globus, University of Chicago
- Tom Barton, University Chicago and Internet2, ex-officio
Ercan Elibol, Florida Polytechnic University
Richard Frovarp, North Dakota State
- Eric Goodman, UCOP - TAC Representative to CTAB
- Jon Miner, University of Wisc - Madison
- John Pfeifer, University of Maryland
- Robert Zybeck, Portland Community College
- Albert Wu, Internet2
- Emily Eisbruch, Internet2
- Jessica Fink, Internet2
Regrets
- Pål Axelsson, SUNET
- Chris Hable, University of Michigan
- Marc Wallman, North Dakota State University, InCommon Steering Rep, ex-officio
- Chris Whalen, Research Data and Communication Technologies
Jule Ziegler, Leibniz Supercomputing Centre
Ann West, Internet2
Action Items from this call
- AI Albert check with NickR and team on whether the proposed approach to endpoint scans (periodic async scans) is practical
- AI David and Albert work with Jessica to establish and publicize BE V2 office hours for July 28, 2020
Discussion
Intellectual Property reminder
For reference: Proposed baseline-expectations-2
Proposed Addition to Baseline Expectations (BE) 2.0 On Encrypting endpoints
- Proposed BE Statement:
- All Identity Providers (IdP) and Service Providers (SP) service endpoints must be secured with current and community-trusted transport layer encryption.
- Notes from June 30, 2020 Office Hours on encrypting endpoints
- Agreed that we will not require any particular grade as part of Baseline Expectations
- General statement appears OK
- In Clarification document note that regarding SSL lab grade, requirements of “B”: B is minimally acceptable; aim for A,
- and if you have B, consult with your info sec team
- Need implementation guidance for federation operator
- Check for https:
- Possibly async scan of data (see Albert for ideas)
- AI Albert check with Nick R and team on whether the proposed approach to endpoint scans (periodic async scans) is practical
- Question: how will we know when an org is out of compliance with this endpoints requirement of Baseline?
- Answer: use various events (executive change) to trigger async checking. Then we notify the site administrator
- Orgs need to use MDQ
- TomB:
- 1. need to manage workflow of getting things checked
- 2. Need to clearly articulate to participants what the expectation is
- Good idea to reference SSL Labs grade in the clarification document
Concern on challenges around checking for endpoint encryption
- For Baseline Expectations v1, there were crisp expectations
Baseline Expectations for Trust in Federation - For BEv1, for privacy statement, we checked for syntax
- Proposal that testing for endpoints would be that https is present in URL
- Albert: the SSL scan takes time, one minute to test one host
- Impractical to test synchronously when org enters data
- Licensing issue with SSL labs, we can test one host at a time
- Proposal that scan will be done at certain intervals
- There will be self service dashboard for InCommon Execs,
- Where they can check their grade
- Right now Shannon Roddy does periodic scans of endpoints
- InCommon operations lacks a way to do meaningful reporting back the SSL grade
- Albert: suggestion that we handle the endpoints security the way we handle privacy statements in BE v1
- TomB: check for presence of https is not sufficient
- comment: in BEv1 there are expectations that are not being verified
- Tom: Thought plan was that in BEv2 we were going to increase the strength of testing around security
- David: A scan will be triggered by a change to metadata
- Albert: we transition to BEv2 but the InCommon checking of endpoints will need to wait for when the federation operator is able to do so
- TomB: could erode trust in InCommon Federation if we set an expectation that we can’t test/check
- TomB: be careful about including something that is "guidance" as part of Baseline Expectations
- Kevin: The federation started with requests but not requirements
- Baseline Expectations is about stronger requirements
- It’s a difficult line to draw
- Since we don’t want to require things that we can’t enforce
- Comparison with income tax
- You must file income tax
- If you don’t file income tax, the consequence may be delayed but there will be consequence
- Can we say that once per year, all endpoints will have been checked?
- We will need a process to provide feedback for entities that fall below the grade
- Next steps: discuss endpoint encryption checking issues again
- Brett will share some opinions
ERROR URL
- Proposed statement: All IdP metadata must include an errorURL; if the condition is appropriate, SPs should use the IdP-supplied errorURL to direct the user to proper support.
- We should suggest that if possible, implement the REFEDS error URL syntax
- We’d do same check as for privacy statements
- But harder to check Error URL “live”
- The SA would need to bring the entity online at the time they register the metadata
- Can point people to new REFEDs error handling syntax
https://refeds.org/specifications/saml-v2-0-metadata-deployment-profile-for-errorurl-version-1-0 - There’s no async checking in today’s federation manager
- Could indicate whether the test was complete, give feedback such as
“You have failed this test” that we would publish on a provisional basis
SIRTFI https://refeds.org/sirtfi
- Proposed Statement: All entities (IdP and SP) meet the requirements of the Sirtfi v1.0 trust framework when handling security incidents involving federation participantsNeed to elaborate the implementation phases
- Validate security contact - send email to validate address periodically.
Plan for Next Office BE v2 hour
- We have had two BEv2 Office hours
- We suggested we’d have another that would deal with items other than endpoint encryption (SIRTFI and ERROR URL).
- DECISION: next office hours 2 weeks from today on July 28, 2020
- AI, David and Albert work with Jessica to establish and publicize BE V2 office hours for July 28, 2020
Did not discussion on this call:
- Drafting implementation plan
- Table top exercise? When, what?
Next CTAB Call (office hours) : Tuesday, July 28, 2020