CTAB Call Tuesday, July 27, 2021


  • David Bantz, University of Alaska (chair) 
  • Brett Bieber, University of Nebraska (vice chair) 
  • Rachana Ananthakrishnan, Globus, University of Chicago 
  • Ercan Elibol, Florida Polytechnic University  
  • Eric Goodman, UCOP - InCommon TAC Representative to CTAB  
  • Andy Morgan, Oregon State University 
  • Dave Robinson, Grinnell College in Iowa, InCommon Steering Rep, ex-officio  
  • Chris Whalen, Research Data and Communication Technologies 
  • Jule Ziegler,  Leibniz Supercomputing Centre 
  • Robert Zybeck, Portland Community College 
  • Johnny Lasker, Internet2  
  • Kevin Morooney, Internet2 
  • Albert Wu, Internet2  
  • Emily Eisbruch, Internet2  


  • Pål Axelsson, SUNET
  • Richard Frovarp,  North Dakota State
  • Meshna Koren, Elsevier
  • Jon Miner, University of Wisc - Madison
  • John Pfeifer, University of Maryland  
  • Tom Barton, Internet2, ex-officio
  • Ann West, Internet2

Intellectual Property reminder


Assured Access Working Group Report

    • Consultation on the report closed June 25, 2021
    • Thanks to TomB for reviewing comments and adding a few more comments
    • Brett has updated the document 

    • Would like to see same collaboration with NSF as we have had with NIH
    • How to get Steering assistance with starting those collaborations?
    • Low hanging fruit, given we have baseline expectations in place
      • Is to require all IDPs in InCommon assert Prefix value 
      • All should conform with REFEDs assurance
      • Could be  an add-on to Baseline Expectation
      •  local enterprise: it should be easy to assert local enterprise for those that meet the criteria
    • Next version of R&S  https://refeds.org/research-and-scholarship will include a requirement to assert eduperson assurance level
      • Whether it’s “low” or “high” or other
    • Prefix value should be a no-brainer, there should be no barrier to asserting prefix except config updates

    • Several comments still outstanding on  REFEDS Assurance Framework Implementation Guidance for the InCommon Federation document
      • but they were just discussion points
    • Next steps: 
      • CTAB should approve the report
      • Then send along for reporting/informing to InCommon Steering
      • David Bantz will attend upcoming Steering meeting
      • Highlight amount of collaboration th
      • e AAWG has had with NIH
    • DECISION:  CTAB  accepts the REFEDS Assurance Framework Implementation Guidance for the InCommon Federation document as it is 
    • Albert will prepare final PDF and submit to the Trust and Identity Document repository
    • Kevin will schedule David Bantz presentation of CTAB news for September’s InCommon Steering call
    • Kevin: Steering does not need to approve the report, but would be good for Steering to have a chance to review the report
      • It will be helpful for the wiki to reflect that CTAB did its job and also Steering did its job in reviewing the report
      • Part of the story of the working groups and the arc or the work with all the governing bodies.

InCommon Steering Update on BEv2: Steering has requested a ~15 minute update on their next call;

  • Steering would like to understand:
    • where CTAB is in our process
    • how adoption rates and rollout out for BEv2 compares to BE v1
    • any observations around the NIH communications and whether they have helped BE adoption or not.
    • how Steering can help in the coming phases.

  • David B has given updates to Steering  along the way
  • Steering Exec committee met yesterday, the rapid adoption of BE V2 and the declaration that this is where we are, and policy enforcement point, is noteworthy enough that Steering should know about it. 
  • David will attend the upcoming InCommon  Steering meeting
  • Ann has communicated to the community in an email that the BEv2 adoption has been impressive
  • Uptick in last month has been remarkable
  • Good to advertise this a bit

BEv2 compliance update

  • There have been questions about how to meet BEv2 
  • Encryption issues (role of Qualys SSL Labs grading; impact of <A)
  • See  the wiki Baseline Expectations for Trust in Federation
  • Need to work on the process for granting extensions / exceptions 
  • Possible mid-Fall “clinic” 
  • We should have another jump in BEv2 adoption / adherence within another month or so
  • There have not been objections to BEv2, but some organizations have indicated they need an extension
  • Community adherence to Baseline Expectations Version 2  has been substantially (  three times) faster than Version 1

  • BEv2 Office hours will be Tuesday, August 3 at 1pm ET
  •  Albert will schedule and send out official communication (DONE)
  • Likely topics that may be raised at Office Hours 
    • Encryption:  logistical matters around SSL score
    • Folks not very active in community asking about impact of certain deadlines, we need to keep reinforcing the message
    • Closing BEv2 process, when consequences kick in
  • Impact on production operations

Handling Deadlines,  Exceptions and consequences

  • Communicate Dec 2021 as the deadline
    • January 2022 or February 2022 wrap up 
  • Question: from a process perspective, does the deadline, with consequences, require Steering approval?
    • the timeline was presented when BEv2 was approved
  •  Deadline is to trigger community dispute resolution process
  • The consequences would happen later if InCommon Steering decides an entity must be removed
  • The goal is to present clear deadlines
  • For encryption issues, the point is to utilize up-to-date encryption for endpoints.
  • What role does CTAB have for providing a review of use cases around encryption?
  • Albert: we cannot rely solely on a Qualys SSL Labs score to decide if an entity is meeting Baseline Expectations
  • Including the SSL score in Federation manager creates angst
    • InCommon operations can only perform  SSL scanning  in batches , about once per month
    • The lag is an issue for entities who so their own scan and see a higher score versus what is being shown in Federation Manager
    • There have also been false negatives in the SSL scores
  • It is reasonable to give a yes to BEv2 even if score is not an A
    • But with an asterisk, saying InCommon wants you to pay attention to this, if the SSL score is less than A

Tracking Qualys SSL Labs  Scores Over Time

  • Should we track an entity’s SSL score over time? 
  • InCommon operations knew we would need to do some ongoing testing of SSL score
  • A transient change in score should not trigger any action
  • But scores could degrade over time if we don’t stay on top of it
  • Perhaps add a “scan this entity now button” in the future
    • Albert: hope to put this on the roadmap, this will require overhaul of how   scan are done 
  • How do we keep history around BEv2 compliance and especially SSL scan scores? How long do we keep it and how public?

  • Table Top Exercises
    • There were tabletop exercises for BEv1
    • tabletop exercises for BEv2 could be helpful to decide how to handle procedural and technical matters, including the dispute resolution dockets we will spin up in the fall of 2021
    • It was noted that there are infrastructure implications around exceptions handling, how to track and what we say and show to InCommon entities

CTAB BEv2 Office Hours: Tuesday, Aug. 3, 2021

Next  regular CTAB call:  Tuesday,  Aug. 10, 2021


  • No labels