Attending

  • David Bantz, University of Alaska (chair) 
  • Mary Catherine Martinez, InnoSoft (vice chair) 
  • Brett Bieber, University of Nebraska 
  • Rachana Ananthakrishnan, Globus, University of Chicago  
  • Tom Barton, University Chicago and Internet2, ex-officio 

  • Ercan Elibol, Florida Polytechnic University 

  • Richard Frovarp,  North Dakota State

  • Eric Goodman, UCOP - TAC Representative to CTAB 
  • Jon Miner, University of Wisc - Madison
  • John Pfeifer, University of Maryland   
  • Robert Zybeck, Portland Community College  
  • Albert Wu, Internet2  
  • Emily Eisbruch, Internet2  
  • Jessica Fink, Internet2   

Regrets

  • Pål Axelsson, SUNET
  • Chris Hable, University of Michigan
  • Marc Wallman, North Dakota State University, InCommon Steering Rep, ex-officio 
  • Chris Whalen, Research Data and Communication Technologies 

  • Jule Ziegler,  Leibniz Supercomputing Centre

  • Ann West, Internet2

Action Items from this call

  • AI Albert  check with NickR and team on whether the proposed approach to endpoint scans (periodic async scans) is practical
  • AI David and Albert work with Jessica to establish and publicize BE V2 office hours for July 28, 2020

Discussion

Intellectual Property reminder   

For reference: Proposed baseline-expectations-2 

Proposed Addition to Baseline Expectations (BE) 2.0 On Encrypting endpoints

  • Proposed BE Statement:
    • All Identity Providers (IdP) and Service Providers (SP) service endpoints must be secured with current and community-trusted transport layer encryption. 
  • Notes from June 30, 2020 Office Hours on encrypting endpoints
  • Agreed that we will not require any particular grade as part of Baseline Expectations
  • General statement appears OK
  • In Clarification document note that regarding SSL lab grade, requirements of “B”: B is minimally acceptable; aim for A, 
    • and if you have B, consult with your info sec team 
  • Need implementation guidance for federation operator
    • Check for https:
    • Possibly async scan of data (see Albert for ideas)
  • AI Albert   check with Nick R and team on whether the proposed approach to endpoint scans (periodic async scans) is practical
  • Question: how will we know when an org is out of compliance with this endpoints requirement of Baseline?
  • Answer: use various events (executive change)  to trigger async checking. Then we notify the site administrator
  • Orgs need to use MDQ
  • TomB: 
    • 1. need to manage workflow of getting things checked
    • 2. Need to clearly articulate to participants what the expectation is
  • Good idea to reference SSL Labs grade in the clarification document

Concern on challenges around checking for endpoint encryption

  • For Baseline Expectations v1, there were crisp expectations
    Baseline Expectations for Trust in Federation
  •  For BEv1, for privacy statement, we checked for syntax 
  • Proposal that testing for endpoints would be that https is present in URL
  • Albert: the SSL scan takes time, one minute to test one host
  • Impractical to test synchronously when org enters data
  • Licensing issue with SSL labs, we can test one host at a time
  • Proposal that scan will be done at certain intervals 
  • There will be self service dashboard for InCommon Execs,
  • Where they can check their grade
  • Right now Shannon Roddy does periodic scans of endpoints
  • InCommon operations lacks a way to do meaningful reporting back the SSL grade
  • Albert: suggestion that we handle the endpoints security the way we handle privacy statements in BE v1
  • TomB: check for presence of https is not sufficient
  • comment: in BEv1 there are expectations that are not being verified
  • Tom: Thought plan was that in BEv2 we were going to increase the strength of testing around security
  • David: A scan will be triggered by a change to metadata
  • Albert: we transition to BEv2 but the InCommon checking of endpoints will need to wait for when the federation operator is able to do so
  • TomB: could erode trust in InCommon Federation if we set an expectation that we can’t test/check
  • TomB: be careful about including something that is "guidance" as part of Baseline Expectations
  • Kevin: The federation started with requests but not requirements
    • Baseline Expectations is about stronger requirements 
    • It’s a difficult line to draw
    • Since we don’t want to require things that we can’t enforce
  • Comparison with income tax
  • You must file income tax
  • If you don’t file income tax,  the consequence may be delayed but there will be consequence
  • Can we say that once per year, all endpoints will have been checked?
  • We will need a process to provide feedback for entities that fall below the grade
  • Next steps: discuss endpoint encryption checking issues again 
  • Brett will share some opinions


ERROR URL

  • Proposed statement: All IdP metadata must include an errorURL; if the condition is appropriate, SPs should use the IdP-supplied errorURL to direct the user to proper support.
  • We should suggest that if possible, implement the REFEDS error URL syntax
  • We’d do same check as for privacy statements 
  • But harder to check Error URL “live” 
  • The SA would need to bring the entity online at the time they register the metadata
  • Can point people to new REFEDs error handling syntax  
    https://refeds.org/specifications/saml-v2-0-metadata-deployment-profile-for-errorurl-version-1-0
  • There’s no async checking in today’s federation manager
  • Could indicate whether the test was complete, give feedback such as
    “You have failed this test”  that we would publish on a provisional basis


SIRTFI https://refeds.org/sirtfi

  • Proposed Statement: All entities (IdP and SP) meet the requirements of the Sirtfi v1.0 trust framework when handling security incidents involving federation participantsNeed to elaborate the implementation phases

  • Validate security contact - send email to validate address periodically.


Plan for Next Office BE v2 hour  

  • We have had two BEv2 Office hours
  •  We suggested we’d have another that would deal with items other than endpoint encryption (SIRTFI and ERROR URL). 
  • DECISION: next office hours 2 weeks from today on July 28, 2020
  • AI, David and Albert work with Jessica to establish and publicize BE V2 office hours for July 28, 2020


Did not discussion on this call:

  • Drafting implementation plan
  • Table top exercise? When, what?


Next CTAB Call (office hours) : Tuesday, July 28, 2020

 

  • No labels