CTAB Call Tuesday, August 10, 2021


  • David Bantz, University of Alaska (chair)  
  • Brett Bieber, University of Nebraska (vice chair)
  • Rachana Ananthakrishnan, Globus, University of Chicago   
  • Ercan Elibol, Florida Polytechnic University  
  • Richard Frovarp,  North Dakota State 
  • Meshna Koren, Elsevier 
  • Jon Miner, University of Wisc - Madison  
  • Andy Morgan, Oregon State University  
  • Dave Robinson, Grinnell College in Iowa, InCommon Steering Rep, ex-officio  
  • Tom Barton, Internet2, ex-officio  
  • Johnny Lasker, Internet2  
  • Kevin Morooney, Internet2  
  • Ann West, Internet2 
  • Albert Wu, Internet2  
  • Netta Caligari, Internet2  


  • Pål Axelsson, SUNET
  • John Pfeifer, University of Maryland  
  • Chris Whalen, Research Data and Communication Technologies 
  • Jule Ziegler,  Leibniz Supercomputing Centre
  • Robert Zybeck, Portland Community College
  • Eric Goodman, UCOP - InCommon TAC Representative to CTAB 
  • Emily Eisbruch, Internet2  



 Recap of InCommon Steering update  

  • DavidB provided an update to InCommon Steering last week. 
  • Slides were emailed to CTAB.
  • Highlights: 
    • We are ahead of where we were in the cycle with Baseline Expectations V1. 
    • We are approaching 80% compliance for BEv2
    • On track to have almost complete compliance by the end of 2021.
    • Will need to handle a small number of non complying entities at the start of 2022.
    • At some point in the future, probably in Baseline Expectations v3, CTAB will need to deal with entity categories and with Assurance
  • KevinM: David B provided an excellent update to InCommon Steering, thanks.

BEv2 Office Hour August 3, 2021 - debrief 

  •  BEV2 Office Hour went well 
  • Many questions about encouraging ADFS or Azure  to join the InCommon federation
  • ADFS:
    •  issue of policy issues of how organizations stand up IDPs
    • Most using ADFS or Azure are running enterprise SSL solution
    • ADFS working with Shibboleth
    • Meshna: is the question around ADFS a technical question?
    • Albert: there are several scenarios
    • Issues w metadata because of how ADFS or Azure makes use of metadata 
    • Compatibility with what federation requires
    • Consumption of InCommon metadata becomes an issue
    • How to “grab” the aggregates
    • How entity ID is named
    • Can’t choose entity  ID in Azure
    • Questions around MFA 
    • How to configure Azure to support REFEDS MFA profile
    • Did  not come up on this Office Hour call ..
    • Question: should we talk with Microsoft about this?
    • As InCommon Federation, could we be a good partner for a conversation w Microsoft
    • TomB: many have tried over the years
    • There have been some successes in the past
    • The  people at Microsoft who “got it” left Microsoft
    • Our Higher Ed community does not have enough influence currently
    • It was noted that having common customers can sometimes help
    • TomB: we would like to get Microsoft to enhance their products, but short of that, technology is available for bolting onto ADFS: 


  • There does not seem to be  a lot of concern in the community around BEv2
  • We expect that people will come to the final BEv2 Office hour, just before the deadline.
  • Next BEv2 office hour is Tuesday, August 31, 2021
  • We will have placeholder for office hour monthly, until end of December 2021

2021 NSF Cybersecurity Summit (Brett/Rachana)

  • https://www.trustedci.org/2021-cybersecurity-summit
  • Rechana encouraged Brett to submit a proposal for 2021 NSF Cybersecurity Summit
  • The proposal has been accepted
  • Closely related to Trusted  CI  https://www.trustedci.org/
  • Proposal references our work with NIH
  • This is an opportunity to expand the partnerships beyond the NIH, perhaps to organizations on NSF side
  • Brett is interested in your ideas on what to include as part of a call to action

Walk through of “I can’t meet SSLLab A requirement” scenarios (Albert)

  • Please chime in if you are aware of other scenarios or if you have other approaches to these scenarios
  • There are various scenarios from organizations that can’t meet the grade of A at this time
  • There are potential legitimate reasons for this situation
  • How should we respond to these organizations?
  • How do we manage exceptions?
  • Scenarios: 
    • Scenario 1: Legacy Browser Support
    • Scenario 2: Legacy Application/OS support (Backchannel)
    • Scenario 3: External monitoring tool compatibility
    • Scenario 4: Entity not testable 
    • Scenario 5: Load Balancer is handling SSL processing

For each scenario, what is the risk in granting an exception?

  • Comment: in each scenario, except Scenario 4,  the organization is increasing exposure to a range of risks because of one application. It makes sense to partition, to minimize the damage.  We should likely ask for a plan around partitioning.
  • Discussed scenario 1, Legacy Browser Support, on this call. Discuss the other scenarios later.
    • Ideally, we want an IDP to use BE requirements as an added incentive to rally SP operator to update its application to support modern encryption.
    • Further details are recorded in the Scenarios document
  • All are encouraged to provide their ideas on the Scenarios document

Resume BE2 Notifications (with minor wording updates)

  • December 17 will be communicated as the deadline to meet Baseline Expectations v2. 

  • Schedule of additional BE2 Office Hours (Albert)
    • Next, August 31st, 2021

Not discussed on this call: Recruiting new members this Fall at CAMP 

Next CTAB Call: Tuesday, Aug. 24, 2021

  • No labels