CTAB Call Tuesday, Sept 7, 2021


  • David Bantz, University of Alaska (chair)  
  • Brett Bieber, University of Nebraska (vice chair)  
  • Pål Axelsson, SUNET  
  • Ercan Elibol, Florida Polytechnic University  
  • Richard Frovarp,  North Dakota State  
  • Eric Goodman, UCOP - InCommon TAC Representative to CTAB  
  • Meshna Koren, Elsevier  
  • Andy Morgan, Oregon State University  
  • John Pfeifer, University of Maryland   
  • Dave Robinson, Grinnell College in Iowa, InCommon Steering Rep, ex-officio 
  • Chris Whalen, Research Data and Communication Technologies 
  • Jule Ziegler,  Leibniz Supercomputing Centre  
  • Johnny Lasker, Internet2   
  • Kevin Morooney, Internet2  
  • Albert Wu, Internet2  



  • Rachana Ananthakrishnan, Globus, University of Chicago  
  • Jon Miner, University of Wisc - Madison
  • Robert Zybeck, Portland Community College 
  • Tom Barton, Internet2, ex-officio
  • Ann West, Internet2 
  • Emily Eisbruch, Internet2 


 Intellectual Property reminder

Working Group / Related Committee updates

BE2 Progress - Dashboard

  • Resumption of biweekly email notices around BEv2 led to a slight uptick in compliance
  • Albert will start to create the dispute resolution docket
  • Still 1000 Service Providers with  a score of B 
    • Could be one organization with a large number of SPs
  • Reminder that results shown on the dashboard graph do not include endpoint encryption score
  • There is an asterisk on Federation Manager for those who do not meet the Qualys SSL Labs score of A
  • There is a trend to greater compliance with each Qualys SSL Labs scan we conduct.

 Endpoint Encryption Scenarios review

  • How should we communicate to the community around endpoint encryption?
  • Issues around how to track
  • Will we require some level (A or B) ?
  • We will have to decide as we get closer to December/January

  • At the last CTAB call, there was  discussed of Scenario 1: Legacy Browser Support
  •  It may be reasonable to grant an exception if the organization is doing mitigation. 
  • Challenge of CTAB’s long-range tracking responsibility once we provide an exception to an organization around endpoint encryption
  • Suggestion: if an entity requests an exception, it should need to be renewed on a periodic basis 

  •  Scenario 3: External monitoring tool compatibility,  comes from one commercial vendor who made that claim. It is likely a one off, so we likely should not place too much emphasis on it.

  • If we spin up too heavy a tracking mechanism, it can be too much work for InCommon operations
  • Albert:  we need  to think of the purpose of Baseline Expectations
    • Is it our responsibility and obligation to police/enforce?
    • Or rely on the dispute resolution process?

  • Perhaps we only remove entities with a failing Qualys SSL Labs grade? But not work to remove those with  a B grade?
  •  The requirement for grade A in SSL Labs score is not required in the Baseline Expectations primary document
    • it is in the implementation guidelines document 

  • KevinM: The Federation Operator is not the accountability enforcement persona for Baseline Expectations
  • Accountability enforcement is peer to peer responsibility through the community dispute resolution process
  • We are working on 
    • 1. making the federation better and more trustworthy
    • 2. making using federation easier 
    • These two are sometimes at odds, and CTAB has to manage this
  • There is no silver bullet answer to the question of how to “enforce” the secure endpoints requirement
  • One scenario is for CTAB to refrain from trying to enforce the secure endpoints requirement and allow SPs that are concerned to use dispute resolution

  • DavidB: CTAB should not allow 200 or even 100 non conforming IDPs. CTAB should take steps to increase compliance.  

  • Use case: a member of CTAB is not getting an SSL Labs A grade for the IDP at his campus.
  • Does not “own” all the infrastructure involved. 
  • There is a need to update scripts, this may not be an organizational priority right now. 

Discuss via email

  • (time permitting, but will need more than 10 min) Happenings in entity categories - primer and next steps
    • SA Entity Categories (anonymous and pseudonymous) 
    • R&S 2.0 (or “Personal” entity category to complement anon and pseudo-anon)
  • Upcoming election: member rotation / recruiting / etc. 
  • Upcoming: review Dispute Resolution process (for next CTAB call)

Next CTAB Call: Tuesday, Sept. 21, 2021

  • No labels