CTAB call of June 16, 2020


  • David Bantz, University of Alaska (chair)  
  • Mary Catherine Martinez, InnoSoft (vice chair)  
  • Brett Bieber, University of Nebraska  
  • Tom Barton, University Chicago and Internet2, ex-officio  
  • Ercan Elibol, Florida Polytechnic University  

  • Eric Goodman, UCOP - TAC Representative to CTAB   
  • John Pfeifer, University of Maryland 
  • Marc Wallman, North Dakota State University, InCommon Steering Rep, ex-officio 
  • Chris Whalen, Research Data and Communication Technologies  
  • Jule Ziegler,  Leibniz Supercomputing Centre  
  • Albert Wu, Internet2  
  • Emily Eisbruch, Internet2  
  • Jessica Fink, Internet2  


  • Pål Axelsson, SUNET
  • Rachana Ananthakrishnan, Globus, University of Chicago  
  • Chris Hable, University of Michigan
  • Richard Frovarp,  North Dakota State

  • Jon Miner, University of Wisc - Madison
  • Robert Zybeck, Portland Community College

  • Ann West, Internet2

New Action Items

  • AI CTAB members put your name in spreadsheet next to organizations to which you want to reach out
  • AI DavidB and Albert work on assigning outreach duties to CTAB members, contacting orgs with endpoints failing BE2 proposed encryption requirementAI DavidB and Albert  Schedule Additional BE V2 Office Hours  


Intellectual Property reminder   

 Baseline Expectations V2

  • Albert shared a  spreadsheet  "Contacts for Orgs with endpoints failing BE2 encryption requirement" with list of  entities
    •  data is based on analysis from a few months back 
    • Report grade from March 2020. Some have changed
    • As CTAB uses this list for outreach, keep in mind that the entity may not longer be failing the test 
    • Both SPs and IDP are on the list
    • A significant number are test/dev entities
    •      Some are test development staging entities
    •      What are our expectations of test/dev/experimental entities in the metadata?
    • What should be minimum acceptable grade  ?
      • Is a score of B acceptable? 
      • A score of T is a fail (T = certificate not trusted, typically because the name on the cert does not match the host)
    • For entities that cannot comply, how great a risk is it to federation if we allow some entities with low grade?
    • Suggestion to ask ScottC of the Shib development team and Shanon Roddy of Internet2 for a threat assessment
    • It makes sense to bring in experts to consult with CTAB and to conduct this conversation with the community’s involvement
    • AI CTAB members put your name in spreadsheet next to organizations to which you want to reach out
    • AI DavidB and Albert work on assigning outreach duties to CTAB members, contacting orgs with endpoints failing BE2 proposed encryption requirement

Planning for next phase - community consultation https://spaces.at.internet2.edu/display/BE/baseline-expectations-2

    • Pre COVID we had thought about a 45 day community consensus process, 
    • Suggestion to end consensus on Aug. 15
    • Consensus list has about 12 subscribers
    • Hope that outreach to Orgs with endpoints failing BE2 encryption requirement  will generate some feedback
    • We should use email to remind people of the consensus
    • A reminder of the consensus period is included in the June 2020 InCommon Newsletter with a link to this blog

    • DECISION:  schedule additional three Office Hours in addition to the office hours that occurred on May 5, 2020 
    • Concern that we might not get much participation
    • JohnP will encourage involvement in BEv2 (Big10 IAM group) 
    • Focus on SSL and encryption and  include security experts, such as Shannon, in the office hours
    • Implementation plan is needed
      • For BE v1, CTAB had the implementation ready to go for consensus
      • Implementation plan helps the InCommon operations staff to be ready for the upcoming effort

    • AI DavidB and Albert schedule Additional BE V2 Office Hours  

Updating exec and contact info for InCommon participants

    • As part of  BE V1, we updated the InCommon participants contact info.  
    • But some of that contact info is now out of date
    • InCommon participation agreement  specifies the requirement to have an exec
    • Perhaps InCommon staff should periodically reach out to verify contact and exec info
    • Would be good to automate the process
    • SIRTFI requires having updated security contact
    • BEv2 Implementation plan might include details on getting updated exec and contact info

Deployment profile - 10KM view and potential future BE - Albert & others

    • Deployment Profile For Kantara, also known as SAML2 INT https://kantarainitiative.github.io/SAMLprofiles/saml2int.html

      Working Group that began in InCommon TAC, moved to Kantara as a cross industry working group
    • Developed deployment profiles around interoperation
    • Released in Dec 2019
    • Includes statements tackling the interoperability vagueness
    • Makes sense for InCommon to  adopt this as best practice
    • With Baseline Expectations caliber requirements
    • InCommon TAC is looking at the Deployment Profile
    • Questions: If InCommon adopts the Deployment Profile,  with what priority and to what extent to require?

    • Issue of subject identifier 
    • Related profile, the SAML subject identifier profile https://docs.oasis-open.org/security/saml-subject-id-attr/v1.0/saml-subject-id-attr-v1.0.html
    • To replace edupersontargeted ID 
    • Replacing subject identifiers is agreed on
    • The moving over to using new subject IDs for all SPs and IDPs is a big deal and Heavy left
    • Could require an approach like that used for BE
    • How much should we include in Baseline Expectations?
    • Some of the items we should put on the roadmap

Next CTAB Call: Tuesday, June 30, 2020 (office hours call)


  • No labels