CTAB Call Tuesday, Sept 7, 2021
Attending
- David Bantz, University of Alaska (chair)
- Brett Bieber, University of Nebraska (vice chair)
- Pål Axelsson, SUNET
- Ercan Elibol, Florida Polytechnic University
- Richard Frovarp, North Dakota State
- Eric Goodman, UCOP - InCommon TAC Representative to CTAB
- Meshna Koren, Elsevier
- Andy Morgan, Oregon State University
- John Pfeifer, University of Maryland
- Dave Robinson, Grinnell College in Iowa, InCommon Steering Rep, ex-officio
- Chris Whalen, Research Data and Communication Technologies
- Jule Ziegler, Leibniz Supercomputing Centre
- Johnny Lasker, Internet2
- Kevin Morooney, Internet2
- Albert Wu, Internet2
Regrets
- Rachana Ananthakrishnan, Globus, University of Chicago
- Jon Miner, University of Wisc - Madison
- Robert Zybeck, Portland Community College
- Tom Barton, Internet2, ex-officio
- Ann West, Internet2
- Emily Eisbruch, Internet2
Discussion
Intellectual Property reminder
Working Group / Related Committee updates
- InCommon TAC
- InCommon TAC has been discussing subject identifiers
- also focusing on CAMP / ACAMP planning
- REFEDS Assurance WG
- At last meeting, addressed identifier uniqueness and eduPersonPrincipalName
- Next meeting, looking at section on identity proofing
- Draft Recommendations
- REFEDS MFA Sub Group
- Working on FAQ for MFA profile
- Categorizing questions and adding high level navigation so people can find answers
- May present recommendations on the future MFA profile
- Not touching the current MFA profile
- Next week: Two hour call to wrap up the FAQ work
- Entity Categories Working Group
- AndyM and DavidB participating
- The R&S Working group has been working on a new entity category called Personalized Entity Category.
- This is in connection with Anonymous Authorization and Pseudonymous Authorization
- Meeting notes: https://wiki.refeds.org/display/GROUPS/Entity+Category+Development%3A+Meeting+Notes
BE2 Progress - Dashboard
- Resumption of biweekly email notices around BEv2 led to a slight uptick in compliance
- Albert will start to create the dispute resolution docket
- Still 1000 Service Providers with a score of B
- Could be one organization with a large number of SPs
- Reminder that results shown on the dashboard graph do not include endpoint encryption score
- There is an asterisk on Federation Manager for those who do not meet the Qualys SSL Labs score of A
- There is a trend to greater compliance with each Qualys SSL Labs scan we conduct.
Endpoint Encryption Scenarios review
- How should we communicate to the community around endpoint encryption?
- Issues around how to track
- Will we require some level (A or B) ?
- We will have to decide as we get closer to December/January
- At the last CTAB call, there was discussed of Scenario 1: Legacy Browser Support
- It may be reasonable to grant an exception if the organization is doing mitigation.
- Challenge of CTAB’s long-range tracking responsibility once we provide an exception to an organization around endpoint encryption
- Suggestion: if an entity requests an exception, it should need to be renewed on a periodic basis
- Scenario 3: External monitoring tool compatibility, comes from one commercial vendor who made that claim. It is likely a one off, so we likely should not place too much emphasis on it.
- If we spin up too heavy a tracking mechanism, it can be too much work for InCommon operations
- Albert: we need to think of the purpose of Baseline Expectations
- Is it our responsibility and obligation to police/enforce?
- Or rely on the dispute resolution process?
- Is it our responsibility and obligation to police/enforce?
- Perhaps we only remove entities with a failing Qualys SSL Labs grade? But not work to remove those with a B grade?
- The requirement for grade A in SSL Labs score is not required in the Baseline Expectations primary document
- it is in the implementation guidelines document
- it is in the implementation guidelines document
- KevinM: The Federation Operator is not the accountability enforcement persona for Baseline Expectations
- Accountability enforcement is peer to peer responsibility through the community dispute resolution process
- We are working on
- 1. making the federation better and more trustworthy
- 2. making using federation easier
- These two are sometimes at odds, and CTAB has to manage this
- There is no silver bullet answer to the question of how to “enforce” the secure endpoints requirement
- One scenario is for CTAB to refrain from trying to enforce the secure endpoints requirement and allow SPs that are concerned to use dispute resolution
- DavidB: CTAB should not allow 200 or even 100 non conforming IDPs. CTAB should take steps to increase compliance.
- Use case: a member of CTAB is not getting an SSL Labs A grade for the IDP at his campus.
- Does not “own” all the infrastructure involved.
- There is a need to update scripts, this may not be an organizational priority right now.
Discuss via email
- CTAB at CAMP - what would CTAB like to talk about? How would CTAB like to leverage ACAMP?
- Aug 31, 2021 Office Hour Recap
- Office Hour Notes:
- https://spaces.at.internet2.edu/x/7IQTD
- (time permitting, but will need more than 10 min) Happenings in entity categories - primer and next steps
- SA Entity Categories (anonymous and pseudonymous)
- R&S 2.0 (or “Personal” entity category to complement anon and pseudo-anon)
- SA Entity Categories (anonymous and pseudonymous)
- Upcoming election: member rotation / recruiting / etc.
- Upcoming: review Dispute Resolution process (for next CTAB call)
Next CTAB Call: Tuesday, Sept. 21, 2021