CTAB call Tuesday, May 4, 2021
- David Bantz, University of Alaska (chair)
- Brett Bieber, University of Nebraska (vice chair)
- Pål Axelsson, SUNET
- Rachana Ananthakrishnan, Globus, University of Chicago
- Tom Barton, University Chicago and Internet2, ex-officio
- Ercan Elibol, Florida Polytech Institute
- Richard Frovarp, North Dakota State
- Eric Goodman, UCOP - InCommon TAC Representative to CTAB
- Meshna Koren, Elsevier
- Jon Miner, University of Wisc - Madison
- Andy Morgan, Oregon State University
- John Pfeifer, University of Maryland
- Dave Robinson, Grinnell College in Iowa, InCommon Steering Rep, ex-officio
- Jule Ziegler, Leibniz Supercomputing Centre
- Robert Zybeck, Portland Community College
- Ann West, Internet2
- Albert Wu, Internet2
- Emily Eisbruch, Internet2
- Chris Whalen, Research Data and Communication Technologies
- Johnny Lasker, Internet2
- Kevin Morooney, Internet2
SAML2Int Adoption Analysis - Common Requirements (4 parts document)
- Relates to Deployment profile
- Intellectual Property reminder
- Agenda Bash
Working Group Updates
Assured Access Working Group
- The Assured Access working Group has made progress on the guidance doc.
- The working group has been sharing guidance document with outside audiences, has received initial feedback
- IAM Online planned for Wednesday, May 12, 2021, 2pm ET
IAM Online title: Increasing Identity Assurance and Improving NIH Readiness
- Tom will moderate the IAM Online
- Brett will share content
- CTAB members are invited to suggest poll questions for the upcoming IAM Online
- AnnW and others have had conversations with NIH about the work of theAssured Access Working Group
- NIH is supportive of the work of the Assured Access Working Group
Potential New CTAB Working Group to look at issues around increasing trust in federation (MFA, R&S and Assurance)
- Andy and Rachana met and discussed potential new working group, discussed on previous CTAB calls
- See CTAB notes of March 23, 2021
- Mandate for proposed Working Group is very broad, and needs to be clarified
- Rachana reported:
- As a first step, we have had some initial discussions to explore areas we could focus on, and we would like to gather the broader group’s input. Our suggestion is that we invest time looking to understand current adoption, barriers for adoption (technical, social, legal/privacy), potential mitigation (technical, areas needing investment) to help inform CTAB on setting any federation wide policy and/or recommendation. Topics of interest:
- MFA signaling for Baseline Expectations
- IDPs and SPs should not throw bad errors when SP asks for REFEDs MFA.
- MFA signaling for Baseline Expectations
- REFEDs subgroup may be looking at this
- Assurance level signaling for BE
- R&S for BE (or other means for R&S adoption)
- Explore all of above with a “super” entity category combining R&S, Assurance and MFA
- Request for input from CTAB members to determine what needs to be focus of a WG.
- Suggestion for subset of CTAB members conduct impact analysis on adding MFA signaling, R&S for BE, etc.
- At the open office hours with NIH, there was confusion about the MFA requirement. That might be the most urgent need.
- There is a group forming from the REFEDs Working Group to tackle MFA issues. Continuation of conversation from 2020 ACAMP. It makes sense to coordinate with the REFEDs MFA subgroup.
- Addressing Community Questions
- There were questions at BEv2 office hours around SIRTFI
- Addressing questions around SIRTFI should be a priority
- including on what it means to check the SIRTFI box
- Do I need to ask permission to check the SIRTFI checkbox?
- Answer is that it’s a judgment call
- Need to make it clearer that organizations are self asserting SIRTFI and it’s OK to do so
- CTAB may want to track the questions people are asking, and use that as a tool to figure out what to do next.
- Also need to figure out what’s next for Baseline Expectations? (R&S, MFA)
- What are the principles around what to include in Baseline Expectations?
- Suggestion for a super entity category
- See REFEDS assurance profiles named after coffee (espresso etc)
- Concern a super entity category might be hard to get flying
- How do we get more service providers to do what the NIH has done?
- Piggybacking NIH, building pressure on research side
- Suggestion that, to reframe this, look at it from the perspective of what CTAB needs to focus next, rather than choosing a topic for a WG. We don't have to create a WG, if we don't need one now.
- CTAB needs to decide what to focus on next to add value to the federation after the NIH assurance work
- Suggestion that CTAB could see how we do with the NIH requirements, then decide next steps
- The NIH requirements provide a way to push items we have been considering.
- The amount of adoption we see in response to NIH requirements will be revealing as we determine next steps
- Comment: Challenging to focus on anything but the NIH requirements at this time.
- Can CTAB help more with the NIH efforts?
- TomB: We have the right people engaged. CTAB needs to stay informed.
- FIM4R work is moving forward, will talk soon about next piece of work focusing on Assurance, in response to NIH requirements.. https://fim4r.org/about/
TomB is our liaison to FIM4R
Baseline Expectations v2
- New version of Federation Manager is launching tomorrow, May 5.
- Shows if an entity meets BE and if not, what is missing
- Also lists the TLS score if it’s available
Deployment Profile Analysis/Adoption
- Four part document, InCommon TAC has worked on this for about 4 months
- Looking at SAML deployment
- And at which statements are of high priority for Federation to adopt
- Baseline Expectations sets high level
- This provides details
- CTAB members, please delve in and provide your thoughts
CAMP Proposal deadline has been extended.
- Brett submitted a proposal for Assured Access Working Group
- DavidB will submit a presentation for CTAB/ Baseline Expectations
Did not discuss on this call:
BE2 Office Hour Follow up
- What were your takeaways?
- Suggestion from Rachana - One recommendation from listening in to the office hours: we should consider setting up an information session with Q&A on SIRTFI, ideally scoped in the context of BE2. Based on the questions on that topic, and Tom’s responses, there is a slightly different lens to approaching this than a strict compliance standard that most of us are used to. Proactively making people aware of the intent and the ask might be a worthy time investment.
- Is it worthwhile to run tabletop exercises to a. Refresh everyone’s memory on how dispute resolution process works, and b. Explore how we’d address common/likely use case(s) that may trigger dispute resolution in BE2.
Next CTAB Call: Tuesday, May 18, 2021