Baseline Expectations V2 office hours

Tuesday, August 31, 2021

Attending: 13 community members

also:

• David Bantz, U. Alaska, CTAB Chair
• Brett Bieber, U. Nebraska, CTAB vice chair
• Albert Wu Internet2,
• Johnny Lasker, Internet2 

 Notes

REFEDs assurance Framework questions (not directly related to Baseline Expectations)

Looking at assurance, just got MFA working for NIH
The Assurance Documents show there are things that can be added to eduperson. 

https://wiki.refeds.org/display/ASS/REFEDS+Assurance+Framework+ver+1.0
What are other schools doing?  Asserting Cappuccino and Espresso profiles?
Did you change your policies to be able to assert things like IAP medium?
We allow help desk to do remote password resets.
We could not assert medium, unless we have in-person review of each person, but then its not in authoritative system. 
Helpdesk does not update authoritative system.

BrettB:
Important questions include:

• • How do we maintain credential binding through a password reset operation?
  • How do we support re-proofing of an identity get back up to medium?

There are claims in REFEDs Assurance Profile, related to confidence that person is who they said they are.
There is  local enterprise 
There is a spectrum document, showing low, medium and high.
Recommend starting with local enterprise claim, then look at low, and work towards medium if you can. 
Pulling I9 data from Banner system into Identity Management system.
Can we use this in a meaningful way?  Password resets cause a challenge

Credential binding is a critical part of this.

Some of that comes down to procedures that the Help Center follows when someone calls in for a password reset.
Can elevate the confidence.
Some institutions using IVR, where attributes get keyed into the phone.
Some of it is scoping.
Leverage a card office to perform in person proofing.
We need to think about the issues in a risk minded way.

Focus on local enterprise is a good approach. 

Albert:

• • The previous conversation was focusing on REFEDs assurance Framework, not BEv2.
  • CAMP and ACAMP,  October 4-8, 2021, will be a good place to discuss REFEDs assurance framework.

Question

• BEv1 had a wall of fame, showcasing the status of particular organizations in meeting BEv1.
• Do we have some equivalent of this for BEv2?

Answer

• InCommon plans to share a list  in October of organizations who have yet to meet BEv2
• Timetable:
  • InCommon Federation officially transitioned to BEv2 in July 2021.  
  • All organizations need to get to BEv2 ASAP.  
  • In December 2021, the InCommon Federation will move to the next stage of “cleanup.”  
  • In January 2022, the dispute resolution process will start, 
    Eventually non complying Entities may be removed from the Federation. 
• In April 2021, we started with biweekly emails to InCommon Site Admins and Execs to organizations not meeting BEv2.   That was paused and will resume.

InCommon Federation Manager Dashboard

• When one signs into InCommon Federation Manager, on the dashboard, you can see which entities do not meet BEv2 
• Albert shared what the InCommon dashboard looks like and how to view the info on whether you are meeting Baseline Expectations
• Suggestion: would be helpful if there was a place where InCommon Execs can see where the organization stands on meeting BEv2, without needing to ping an InCommon Admin, who has dashboard access.
  Comment : when InCommon starts to publish the Wall of Fame, list this will be a convenient place to access

Question

• What is the endpoint encryption score?

Answer

• This is related to the BEv2 STATEMENT: All Identity Providers (IdP) and Service Providers (SP) service endpoints must be secured with current and community-trusted transport layer encryption. 
  It equates to TLS 1.2. InCommon runs periodic testing usling Qualys SSL Labs.
• The score is the test result from Qualys SSL Labs.  We are asking organizations to get to an “A” score.
• We are seeing good progress as we track how the community is doing in reaching BEv2 compliance.

Question

• Are you checking for expired metadata?

Answer

• In the metadata there is an SSL cert. or a key that could have an expired date.
    that is not  part of   BEv2
  We recommend a self signed cert and a long list cert so you do not constantly need to update keys

Question

• How many have switched to MDQ (Meta Data Query) service?

Answer

• we have that data but have not generated reports.
  We are not pushing people to move to MDQ.
  There is a focus on NIH requirements and BEv2

 
Question

• SP getting a B score doesn’t seem to preclude meeting Baseline Expectations. Is that true?
  
  

Answer

• We are trying to get SPs to achieve A score.
• Within federation manager, the "yes/ no" flag for meeting BEv2 does not include the SSL score. 
  This is because we have received some false positives and false negatives in doing testings. Also there is a lag in the testing  that InCommon is able to do 
• When/If it comes to removing an entity from the federation, InCommon will look closely at the accuracy of the SSL score.

Question

• For REFEDs MFA, https://refeds.org/profile/mfa along with Authncontext class reference, are there others that are commonly requested? 

Answer

• that is the only one in R&S
  -SFA is another one that might make logical sense, but it’s generally not being asked for by SPs.

Thank you to everyone who joined the Office Hour