CTAB call Tuesday, March 23, 2021


  • David Bantz, University of Alaska (chair)
  • Brett Bieber, University of Nebraska (vice chair) 
  • Pål Axelsson, SUNET  
  • Rachana Ananthakrishnan, Globus, University of Chicago   
  • Tom Barton, University Chicago and Internet2, ex-officio 
  • Ercan Elibol, Florida Polytechnic University  
  • Richard Frovarp,  North Dakota State  
  • Eric Goodman, UCOP - InCommon TAC Representative to CTAB 
  • Meshna Koren, Elsevier  
  • Jon Miner, University of Wisc - Madison  
  • Andy Morgan, Oregon State University  
  • John Pfeifer, University of Maryland   
  • Dave Robinson, Grinnell College in Iowa, InCommon Steering Rep, ex-officio 
  • Chris Whalen, Research Data and Communication Technologies 
  • Johnny Lasker, Internet2  
  • Kevin Morooney, Internet2  
  • Ann West, Internet2
  • Albert Wu, Internet2  
  • Emily Eisbruch, Internet2  


  • Jule Ziegler,  Leibniz Supercomputing Centre
  • Robert Zybeck, Portland Community College


Intellectual Property reminder   

New Action Items

  • AI -  Rachana and Andy will report back with proposed charter and name for the working group to look at issues around R&S
  • AI -  Andy, David, Albert will discuss issues around the community's endpoint requirement concerns  before next BEv2 office hours

Older Action Item

  • AI - TomB will take issue of a standard to tell the SP what they can report back to IDP when abuse is detected to SIRTFI working group and report back to CTAB


Update on Federation Operations / Baseline Expectations v2

  • Targeted alerts for BEv2 were sent out to InCommon site admins last week.
  • See blog https://incommon.org/news/federation-site-admins-receive-baseline-expectations-notices/
  • Albert has begun plotting progress  https://spaces.at.internet2.edu/display/be
  • The data we have looks promising
  • Note: The measurement we have is for SIRTFI and ERROR URL, not endpoints
    • 55 orgs met BEv2 in January 2021
    • 103 orgs as of last Friday
    • 35 orgs updated in the last week since the targeted email announcement
  • There have been questions around “what do I need to do meet the requirement for SIRTFI?”
    • Answer is “go into Federation manager and check the Complies with SIRTFI box”
    • See page 7 here
  • There have been questions  about TLS Scoring, and why grade of A is being required
    • TO DO: CTAB should put out a statement on why we are requiring a TLS Scoring grade of A
    • Some orgs have legacy apps that don't support TLSv1.2, they must support old browsers on campus
    • There are cases where application server is incapable of current TLS
    • Suggestion: CTAB should produce best practices, recommendation on how to handle use cases for supporting legacy apps
      • e.g. Limit use of browsers in those application settings, install a 2nd browser
  • There have been questions on ERROR URL, and what should the page look like
    • Some community members would like something more than these examples provide
    • Suggestions: Provide sample pages for IdPs to use as reference/copy from 
  • Implementation Guide
    • There is an implementation guide for BEv2, but not many have read it.
    • Albert has taken the implementation guide (from the Trust and Identity Document Repository) and made it into wiki pages, and there will also be an FAQ,
    • these wiki pages has been published along with NIH support materials
    • Should we direct people to FAQ or to implementation guide?
    • Albert: direct people to the cover page with links for both FAQ and implementation guide. Implementation guide is primary
  • Preparing Responses to Common Questions around BEV2
    • Before the next BEv2 office hours, CTAB should get together and discuss issues, such as around support for older apps, or around logging, browser and app limitations
    • We can encourage community members to reach out to CTAB before office hours
    • Our messaging should emphasize "Let's talk, we will help you find solutions"
    • Possibly on org can still get grade of A with TLS 1 if careful about encryption suites
  • AI  - Andy, David, Albert will discuss issues around the community's endpoint requirement concerns  before next BEv2 office hours

Scheduling next BEv2 Office Hours

  • Next CTAB BEv2 Office Hours could be at slot of one of the upcoming CTAB calls
  • Would be helpful to have the Qualys SSL labs scanning in place before we address the issues related to endpoints
  • Shannon R and Johnny will discuss issues around Qualys SSL labs scanning tomorrow
  • It’s not always completely straightforward  
    • There are business logic issues
    • For example, how to handle cases of unreachable, scan can’t complete etc.
    • Suggestion to be reasonably forgiving
  • Not yet ready to schedule office hours
  •  There will be an NIH Office hour on Thursday April 1
    • InCommon has scheduled a second open office hour with representatives from InCommon and the National Institutes of Health to discuss the coming changes to the NIH electronic Research Administration (eRA) modules.
    • The office hour will take place Thursday, April 1, at 4 pm ET, 3 pm CT, 2 pm MT, 1 pm PT 
  • Aim for CTAB BEv2 office hours 4 weeks from today?

REFEDS R&S Working Group   

  • There has been discussion about whether eduPersonAssurance and REFEDs assurance framework should be added to R&S v2
  • Some concern about lack of fit
  • Heather F is trying to guide to consensus
  • What does it take to seamlessly collaborate? It takes more than  entity categories
  • NIH is asking for a good sampling of the things needed to bundle together for a collaboration to work
  • Includes authentication and identity assurance
  • R&S Entity Category can signal support for attribute  release
  • Should it signal more?
  • Authentication assurance and identity assurance are needed in many cases for collaboration
  • If scope is not big enough to encompass minimum things that research orgs need to interoperate, then more is needed
  • The more problems we try to solve with same tool, the more complex things get
  • Some think of R&S as an attribute release mechanism
  • In absence of specifying Research  Assurance Framework as signaling, then what will work? 
  • Need to standardize on a means of signaling.
  • How to get R&S more widely adopted within InCommon Federation?

Proposed new working group to tackle issues around MFA and R&S as part of BEv3

  • Suggestion that Rachana lead a group to tackle the issues round MFA and R&S as part of BEv3
  • Andy will co-chair this working group
  • Hope for recommendations from this group
  • They would liaise with REFEDs R&S working group regarding R&S
  • Revising  the R&S spec should happen in the REFEDS R&S working group
  • AI Rachana and Andy will report back with proposed charter and name for the proposed working group to look at issues around MFA and R&S as part of BEv3  

For Future CTAB call

  • Next steps around R&S / MFA / SA attribute bundles
    (related, new REFEDS entity categories)
    • What about IdP products that are not “R&E” friendly, ala Azure AD, Okta, etc 
    • Recipes on how to configure specific/popular IdP products to do xyz
    • Where does consent flow fit in this?
  • Working groups for detailed discussion, digesting, recommending on these topics?
  • Would a “recipe book” for BE2 be useful?

Next CTAB Call: Tuesday, April 6, 2021


  • No labels