CTAB call Tuesday, June 29, 2021
Attending
- David Bantz, University of Alaska (chair)
- Brett Bieber, University of Nebraska (vice chair)
- Rachana Ananthakrishnan, Globus, University of Chicago
- Ercan Elibol, Florida Polytechnic University
- Richard Frovarp, North Dakota State
- Meshna Koren, Elsevier
- Jon Miner, University of Wisc - Madison
- Andy Morgan, Oregon S tate University
- John Pfeifer, University of Maryland
- Robert Zybeck, Portland Community College
- Tom Barton, Internet2, ex-officio
- Johnny Lasker, Internet2
- Albert Wu, Internet2
- Emily Eisbruch, Internet2
- Ann West, Internet2
- Kevin Morooney, Internet2
- Netta Caligari, Internet2
Regrets
- Pål Axelsson, SUNET
- Eric Goodman, UCOP - InCommon TAC Representative to CTAB
- Dave Robinson, Grinnell College in Iowa, InCommon Steering Rep, ex-officio
- Chris Whalen, Research Data and Communication Technologies
- Jule Ziegler, Leibniz Supercomputing Centre
New Action Item
- AI Andy Morgan - document his approach to TLS endpoint issue and supporting older/legacy TLS versions
Discussion
Internet2 Intellectual Property reminder
Intro to Netta Caligari
- Netta Caligari is the new Internet2 Community Success Manager
- She is based in Fort Collins, Colorado
- Has recent experience working in a start-up around digital engagement
- Worked at Colorado State University previously
- Netta will be working to support Trust and Identity advisory committees
- She will assist with recruitment of new members for CTAB, onboarding
- She will also be lead for IAM Online, CAMP and Advance CAMP
Responses to Baseline Expectations version 2 (BEv2) email to InCommon Execs & Site Admins
- Email sent out last week around BEv2
- We have received approximately 100 emails related to BE V2 since March 2021
- Each email from InCommon about BEv2 prompts more responses
- Comments include:
- How do I know if I am compliant?
- I am not going to meet the proposed deadline of July 19, so letting you know
- Questions around SIRTFI, what do I need to do?
- Some confusion around checking the box, email has been modified to clarify
- How do I know if I am compliant?
- Concerns about Qualys Testing Scores
- There have been questions about Qualys Testing scores
- Scores are on dashboard upon sign in to InCommon Federation Manager
- if you don’t have Qualys testing score of A, you are shown as having an action pending
- if you don’t have Qualys testing score of A, you are shown as having an action pending
- People are concerned about not meeting BEv2 because their Qualys score is not A
- InCommon Ops is updating the flag in Federation manager so the score is not considered
- Albert will
- update the Baseline Expectations wiki to explain what the score means
- continue to work with the community to reply to concerns and questions
- update the Baseline Expectations wiki to explain what the score means
- There have been questions about Qualys Testing scores
- Excellent progress overall, encouraging
- SP adherence to BE jumped from 43% to 59%
- Probably due to a few participants with a large number of SPs
- Probably due to a few participants with a large number of SPs
- We have scores from around June 14
- Increase in number of Qualys scores of A
- Also increase in number of Qualys scores of F, (from a small number of organizations)
- May be an anomaly
- They all have a CDN
- May have caused a false reading of F
- InCommon staff will look into this
- May be an anomaly
- July 19 is the official date to transition to BEv2
- CTAB needs to think about an extension process, in the fall, for those not able to meet Baseline Expectations
- Graph on wiki does not include the Qualys score, so it excludes what’s perhaps the hardest part of BE v2
- https://spaces.at.internet2.edu/display/be/
- Score of A is not included in main Baseline Expectations text as being required, it’s in implementation guidelines
- We can use discretion, but equity and fairness are important
- The message that “CTAB/the community cares about your encryption” is having an impact
- organizations are patching servers
- organizations are patching servers
- Suggestion to provide more details on when the scan was performed
- Johnny: there is a date linked to when the scan was performed
- Desire for orgs to be able to initiate their own scan
- Suggestion for a checkbox for those who have performed their own scan
- Not now, because of work going on around eduroam, InCommon operations does not have such bandwidth
- Infrastructure for testing is not set up for one off testing
- Concern self attestation would create more confusion
- Need to keep this simple for the site admins who don’t pay attention often
- Any Federation Manager element we change creates some confusion
- Self attestation around Qualys scan and score could impact how we drive the email campaigns
- Can IDPs and SPs request a new test when they make changes?
- Earliest we have InCommon staff availability to change InCommon Federation Manager is 2022
- Not now, because of work going on around eduroam, InCommon operations does not have such bandwidth
- Suggestion to document how the scan can be performed by the institution to check their infrastructure
- Suggestion for chart on the wiki to represent Qualys scores over time, April 15 and June 23 data points (DONE)
- Some orgs are intentionally supporting older/legacy TLS versions because of their use cases
- Would be helpful to have a collection of use cases and solutions
- UCOP system is a reason for a lot of N/As
- The TLS part, the IDP would get an A if you could get to it, but the WOF in front of it is supporting legacy
- One issue is concern about making a change and breaking things
- Trying to come up with a target date, likely won't be as soon as July
- We should focus on this use case and ways to solve the problem
- We need to provide more examples of how to address need to support legacy
- Andy Morgan has use case of needing to support older system, integrating w CAS, need to convince some other organization to update
- Richard F has a CAS use case
- John P has a use case, involving load balancer
- Eric G talking to security team about the adverse security issues in supporting these old protocols
- Would be helpful to have a collection of use cases and solutions
- Next step: Identification of use cases
- Document some of the solutions
- Start with collecting BEv2 solutions in google doc that Albert will share
- AI Andy Morgan - document his approach to TLS endpoint issue and supporting older/legacy TLS versions
- Ann: suggestion for office hours or survey
- In past office hours, discussion was very general
- Perhaps ask community members to share their solutions
- In past office hours, discussion was very general
Did not cover the remaining items on this call
Federation / Operations update (Albert, Johnny)
NIH Assurance work update; AAWG update
- Consultation period has ended
- Next steps: Brett will schedule meeting of the AAWG
- Produce final version of the document
- Consultation period has ended
Working Group updates
- REFEDS Assurance
- REFEDS MFA sub-grou
- Schema updates ( R&S category ; eduPersonAnalyticsTag
- Others?
NIH Assurance updates
Deployment dive (1st of many) (Albert)
Next CTAB Call: Tuesday July 13, 2021