CTAB call Tuesday, June 1, 2021
Attending
- David Bantz, University of Alaska (chair)
- Brett Bieber, University of Nebraska (vice chair)
- Pål Axelsson, SUNET
- Eric Goodman, UCOP - InCommon TAC Representative to CTAB
- Meshna Koren, Elsevier
- Jon Miner, University of Wisc - Madison
- Andy Morgan, Oregon State University
- John Pfeifer, University of Maryland
- Dave Robinson, Grinnell College in Iowa, InCommon Steering Rep, ex-officio
- Jule Ziegler, Leibniz Supercomputing Centre
- Robert Zybeck, Portland Community College
- Ann West, Internet2
- Emily Eisbruch, Internet2
- Chris Whalen, Research Data and Communication Technologies
- Johnny Lasker, Internet2
- Kevin Morooney, Internet2
- Rachana Ananthakrishnan, Globus, University of Chicago
- Tom Barton, University Chicago and Internet2, ex-officio
Regrets
- Ercan Elibol, Florida Polytechnic University
- Richard Frovarp, North Dakota State
- Albert Wu, Internet2
New Actions Item from this call
- AI Johnny - look into outreach to delegated admins around BEv2, and if we need a different list for that
- AI David - iterate on the wording in the proposed email outreach to site admins and execs, to be sure the message is welcoming and not scary
Discussion
- Intellectual Property reminder
- Agenda Bash
Working group updates
- REFEDS Assurance WG https://wiki.refeds.org/display/GROUPS/Assurance+Working+Group
- On the way to provide an update, new RAF version 2
- Addressing identity proofing
- Good progress
- REFEDS MFA subgroup
- Kicked off
- TNC, June 21 to June 25, online https://tnc21.geant.org/
- REFEDs meeting and more identity and trust meetings will occur the week before TNC, around June 15
- FIM4R will meet that week, with focus on Identity Assurance
- Side meetings at TNC21: https://tnc21.geant.org/side-meetings/
- FIM4R: https://indico.cern.ch/event/1038620/
- Assured Access Working Group
- Proposed improvements to the draft:
- add mention of bronze and silver profiles
- include the eduPersonAssurance attribute, conforming to REFEDs baseline
- Getting towards cappuccino profile or espresso profile, etc.
- Aspects beyond identity assurance
- To assert those levels, must assert the base prefix for REFEDs assurance
- Brett will incorporate that
- Will help to have CTAB think through how to solicit for more input as we get closer to consultation close date
- Ann: Had call w NIH around organization support of REFEDs Assurance Framework (RAF), identity proofing qualifiers, working to get NIH ready
- NIH will put up a website this week hopefully, with links to InCommon and REFEDs
- Suggestion to add to the Assured Access WG draft another assertion to add inside the multi valued attribute being released.
- It’s mechanics for members of InCommon, they should be supporting that through Baseline Expectations
- TomB: topics for the Assured Access WG:
- as campuses start implementing, people will need a place to go for questions that arise, need to specify where to get questions answered
- There are processes that undergird identity proofing profiles based on relationships
- NIST dropped this approach from version 2 to version 3
- But relevant in academia
- Brett AIs
- Incorporate feedback into the draft doc
- Draft info on how bronze and silver align
- Schedule meeting of Assured Access Working Group to review feedback from consultation
- NIH update (compliance tool data)
- Meetings are biweekly with NIH
- Info on the results of using a compliance check tool
- NIH IDM people updated the compliance check tool to be useful for IDP operators
- It was originally for researchers
- Goes into the details around meeting the NIH requirements
- Data will be sent to us on results of using the compliance tool
- Will use this data for a progress chart
- To show how the community is responding to the NIH requirements
- New NIH webpage will be helpful
- Privacy policy for NIH is being worked on, this was an issue for some of the UK institutions, some resistance to being sent to PubMed, and concern about how R&S would be handled
- Pubmed moving to solely federated access
- Requires R&S attributes, (not sure if R&S is truly needed, being looked at)
- Timetable is still taking shape
- Will update the wiki page when dates are available https://spaces.at.internet2.edu/display/federation/get-nih-ready
Email message revision re BE v2 compliance
https://docs.google.com/document/d/1IkktKTB2vWo47cnnW1zaVyW3K-UZX6oGfoXui1DheAU/edit (do not include in public notes)
- Email to those orgs not in compliance w BEv2
- Execs will get same message as Site Admins
- Suggestion to add to the note that the link in the email will work for Site Admins, but not Execs in most cases (unless they are also a site admin)
- Must go to Federation Manager to see the details
- Did we resolve the concern that the Big Ten Academic Alliance IAM group had about contacting the SPs directly?
- Big Ten thought the IDP operators often don’t have sufficient influence over the SPs, that InCommon may have more influence
- From IDP side, trying to influence SPs is fighting uphill
- Currently pulls IDP and SP info
- Some confusion around messaging
- Is the suggestion to have a special SP outreach?
- Technical contact for the SP and delegated admin are different
- Delegated admin has some access to federated manager,
- Can be delegated for certain SPs to make changes for publication
- The Site Admin must approve the changes
- We want delegated admins to move their part of the needle and we need to message this
- AI Johnny - look into outreach to delegated admins around BEv2, and if we need a different list for that
- Suggestion to communicate directly to each security contact, but clarify that they must contact site admin if needed
- Johnny has meeting today w EDUCAUSE, hopes to get more feedback from them
- Suggestion for targeted message just for those missing SIFTFI
- add security contacts from metadata?
- How do we communicate to participants the consequence of
“not scoring ‘A’ on SSLLabs’ test”? - Current messaging may not be clear enough
- Don’t want to imply it is needed to get an A to be in InCommon
- EricG: people want specifics, on questions like: can I claim SIRTFI? Do I need to have an A or B on SSL labs testing?
- TomB: we want to know the schedule for an org to meet the BEv2 requirements
- The issue around whether grade of A on SSL labs testing is required or not is confusing
- Cycle times, CTAB says: give yourself six months to fix this issue, if that’s not enough, let’s talk.
- Should we have a formal “extension” request for organizations that cannot meet July 2021 target for BEv2?
- Suggestion to add this info to the email message to InCommon site admins and execs, and/or add this to another message in about 2 weeks
- We don’t want organizations to start thinking they must “drop out” of InCommon federation based on SSL Labs score
- Johnny: Plan is for “teeth” to be added for BEv2 on July 19.
- We will pause changes to metadata for some issues, but NOT for the SSL grade.
- Currently the email says, “ For assistance, please contact us at help@incommon.org.”
- This is too terse
- AI David - will iterate on the wording in the proposed email outreach to site admins and execs, to be sure the message is welcoming and not scary
- WebID: The End State
- https://github.com/WICG/WebID
- Concern this effort will break conversation between IDP and SP
- They intend to unpack/unbundle the attributes the IDP is sending
- Challenge is, browser vendor can’t be sure if someone is sending info to track authentication or to track the user
- Want to limit tracking, but still need to allow other things to happen
- Just disallowing the technologies will break more than authentication
- EricG has participated in some of the discussions
- InCommon TAC is involved in these conversations
- This is a multi year effort, related to SameSite effort
- No one knows what the end state will look like
- Comment: Microsoft has some info online, don’t see enough people from R&E included in the conversation.
- We should be sure our R&E use case is represented
- Heather F is involved with Google on this and she is communicating w InCommon TAC about it
- Browsers as another important player in the trust fabric?
- Suggestion for a federation friendly browser
Next CTAB Call : Tuesday, June 15, 2021