CTAB Call Tuesday April 19, 2022
Attending
- David Bantz, University of Alaska (chair)
- Jon Miner, University of Wisc - Madison (co-chair)
- Pål Axelsson, SUNET
- Sarah Borland, University of Nebraska
- Richard Frovarp, North Dakota State
- Eric Goodman, UCOP - InCommon TAC Representative to CTAB
- Andy Morgan, Oregon State University
- Rick Wagner, UCSD
- Jule Ziegler, Leibniz Supercomputing Centre
- Robert Zybeck, Portland Community College
- Tom Barton, Internet2, ex-officio here
- Johnny Lasker, Internet2
- Kevin Morooney, Internet2
- Ann West, Internet2
- Albert Wu, Internet2
- Emily Eisbruch, Internet2
Regrets
- Ercan Elibol, Florida Polytech Institute
- Meshna Koren, Elsevier
- Dave Robinson, Grinnell College in Iowa, InCommon Steering Rep, ex-officio
- Chris Whalen, Research Data and Communication Technologies
Discussion
Working Group Updates
- REFEDS Assurance - no updates
- REFEDs MFA Sub Group
- Editing the proposed draft/ revision to the REFEDs MFA profile
- Hope to have draft for wider group to discuss in next weeks
- Discussion on balance between keeping the profile flexible and usable
- Want to be clear enough so implementers can make decisions that lead to basis for comparison
- Given strong authentication needs evolving, how to prepare
- Is certificate authentication strong enough?
- What about MFA and Web Authn?
- Single or multi factor for authentication for Web Authn?
- What will be curation evolution process
- MFA profile is de facto a proxy for quality/strength of authentication
- What about, perhaps, an approach that is “strong” but not literally Multi-factor ?
- Editing the proposed draft/ revision to the REFEDs MFA profile
- REFEDS Assurance - no updates
- SIRTFI Exercise Working Group
- Several exercise scenarios were presented
- Working Group decided to replicate the Authentication and Authorisation for Research and Collaboration (AARC) exercises approach https://aarc-community.org/about/
- InCommon TAC Updates
- Focus on work plan items
- One topic is 3rd party certifiers
- What kind of mechanisms should be in place?
- Related to Trustmarks and tags
- Concept of how federation model works
- Term: pixie dusting
- 3rd party interacts and can assert claim for an entity, instead of federation operator
- Example is R&S
- Federation operator is not as deeply engaged in the research community
- So another authority might be able to vouch for a particular Service Provider
- Federation operator is not as deeply engaged in the research community
- Comes up in regional networking or system wide scenarios; also comes up in seamless access community, for discovery listing
- Focus on work plan items
- NIH
- There will be a leadership exchange in May 2022, Mike Tartakovsky and Chris Whalen will be speaking, will summarize for the CIOs where we stand, and reinforce the ask
- There will be a leadership exchange in May 2022, Mike Tartakovsky and Chris Whalen will be speaking, will summarize for the CIOs where we stand, and reinforce the ask
- Five items are now on the CTAB work plan, other items have been moved to another document
- CTAB members, please to sign up for work plan items that interest you
- Five items are now on the CTAB work plan, other items have been moved to another document
CTAB TLS / Endpoint Encryption Proposal
- Several steps are outlined in the draft proposal, including outreach and eventually moving to dispute process
- Suggestion for eventually having a public record if an entity is not meeting the encryption standard
- We would prefer listing entities with current action items pending and do not want to post a list of entities with any security vulnerabilities
- There is a recommendation for InCommon operations to check as many elements are possible.
- Albert notes that this is in the works.
- InCommon Operations hopes to periodically check all the elements that baseline expectations requires.
- Scaling and Workload concerns
- Currently over 1000 entities are not scoring A in SSL Labs scan
- This is not a one time issue, scores can shift, so think of this as an operational item
- Are we willing to remove from the InCommon Federation an entity that does not get an A score?
- If we create exceptions / loopholes, it gets complex
- Dispute items would come to CTAB
- Eventually some will escalate to InCommon Steering
- See the community dispute resolution process https://www.incommon.org/federation/dispute-resolution/
- Concerned about the consequence of triggering community dispute resolution
- Question of scale, if there are more than a handful each month, will require much effort and time. Load/strain on CTAB resources is a concern
- Currently over 1000 entities are not scoring A in SSL Labs scan
- Suggestion that we consider this an awareness raising campaign
- Education and advocacy are important
- CTAB may want to engage the community on this at some point.
Next CTAB call: Tuesday, May 2, 2022