CTAB Call Tuesday February 21, 2023
Attending
David Bantz, University of Alaska (chair)
Warren Anderson, LIGO\
Pål Axelsson, SUNET
Tom Barton, Internet2, ex-officio
Ercan Elibol, Florida Polytechnic University
Richard Frovarp, North Dakota State
Eric Goodman, UCOP - InCommon TAC Representative to CTAB
Mike Grady, Unicon
Scott Green, Eastern Washington U
Johnny Lasker, Internet2
Kyle Lewis, Research Data and Communication Technologies
Jon Miner, University of Wisc - Madison (co-chair)
Rick Wagner, UCSD
Albert Wu, Internet2
Regrets
Matt Eisenberg, NIAID
Meshna Koren, Elsevier
Andy Morgan, Oregon State University
Kevin Morooney, Internet2
Andrew Scott, Internet2
Ann West, Internet2
Emily Eisbruch, Independent, scribe
DISCUSSION
- Internet2 Intellectual Property Reminder: https://internet2.edu/community/about-us/policies/internet2-intellectual-property-policy/
- Disclaimer: The meeting proceedings (minutes) are published. If you wish to discuss items that you do not wish to be included in the published notes, please mention it so the scribe can note the exception.
Working Group updates
- NIST 800-63-4 review
- Continuing on schedule.
- Continuing on schedule.
- REFEDS MFA
- Finished reviewing feedback on consultation. Will be drafting the response.
- Plan is to create a new profile identifier. i.e., leave current profile/identifier as is (because there are significant implementations in the wild that would be impacted by changing the expectations around that identifier). A new profile id will be generated, and some of the new (but “backwards compatible”) set of expectations will be published for the new identifier.
- Will there be guidance for SPs and IdPs on how to deal with the fact that there are multiple identifiers?
- Yes
- Yes
- Will we look at the ability of products to make these distinctions?
- Broadly, yes.
- Looking at ForceAuthn in particular.
- Also, we assume most users deploy proxy solutions to meet InCommon requirements. It’s possible (likely) that those proxies would be able to understand either incoming request type, and depending on what the backend supports, either pass the request through to the IdP or signal failure (e.g., if the backend meets the old requirements but not the new ones, and the SP requests the new ones).
- Based on conversation, will reach out to Mike Grady to get some feedback on their experiences implementing REFEDS MFA support with non-Shib/SSP backends.
- Broadly, yes.
- Finished reviewing feedback on consultation. Will be drafting the response.
- REFEDS Assurance
- Halfway through final review of RAF 2.0 prior to public consultation; expect ~6 more weeks before ready for public consultation release
- Halfway through final review of RAF 2.0 prior to public consultation; expect ~6 more weeks before ready for public consultation release
- CACTI
- No update. Meeting monthly now.
- No update. Meeting monthly now.
- InCommon TAC
- Had presentation and discussion with Apryl Motley @ InCommon about Internet2 messaging on value of InCommon
- Detailed discussion of 2023 TAC workplan
- Had presentation and discussion with Apryl Motley @ InCommon about Internet2 messaging on value of InCommon
- SIRTFI Exercise Working Group
- 13 volunteers signed up for the working group
- next step is to set up kickoff meeting
- 13 volunteers signed up for the working group
- NIST 800-63-4 review
Baseline Expectations v2 CatchUp
- InCommon Operations plans new tooling in the Federation manager to detect when an entity falls out of compliance with Baseline Expectations.
- Currently compliance is checked when changes are made to metadata.
- The work, called “Baseline Expectations Catchup”, kicks off in March and includes
- The checking process for entities compliance with Baseline Expectations will be implemented as a separate scheduled asych process apart from when updates to metadata are made
- Updating how we track encryption scan scores over history
- Checking when a contact no longer works
- Hope to have some results to report by TechEx 2023.
2023 CTAB Work Plan
- Only minor changes were made to the work plan since last CTAB call, mostly formatting improvements
- There are three sections in CTAB work plan:
- Active items
- 1. SIRTFI Exercise Planning Working Group (SEPWG)
- 2. NIST 800-63 Rev 4 consultation - review and feedback
- 3. Clarity on Baseline Expectations enforcements / operationalizing Baseline
- Warren is willing to lead this work, and may start with a discussion group. He has prepared a spreadsheet, enumerating the baseline expectations.
- There is more if we break out the components of SIRTFI
- Looking at things that can be subject to automated checking and things that can’t (for example, no clear metric for respecting user privacy)
- Comment: thanks Warren for this great start
- Decision: a small group will review the spreadsheet Warren created, and tee up topics for the CTAB calls. Albert will likely set up a meeting on the off-week from CTAB
- Question: should we be double-checking, or simply trust, SIRTFI self attestations?
- Should we ask for a periodic (once per year) attestation from an organization that they meet Baseline Expectations? Advantages:
- Yearly attestation could be a good time to be sure the contacts are still accurate, and
- Can help new InCommon executives and admins understand their responsibilities with regard to InCommon federation. Validation for new execs and new admins is an issue that needs an improved workflow.
- Candidate CTAB Workplan items
- 4. Framing the next chapter of federation maturity
- 5. Assurance - next steps, rollout
- 4. Framing the next chapter of federation maturity
- Candidate CTAB Workplan items
- Items CTAB checks but does not lead
- 6. Review REFEDS Entity Categories
- 6. Review REFEDS Entity Categories
- Items CTAB checks but does not lead
- Albert will update the CTAB work plan on the wiki. Will publish publicly by next CTAB call.
Next CTAB call: Tuesday, March 7, 2023