David Bantz, University of Alaska (chair) 

  • Jon Miner, University of Wisc - Madison (co-chair)  
  • Warren Anderson, LIGO  

  • Pål Axelsson, SUNET  
  • Tom Barton, Internet2, ex-officio 

  • Matt Eisenberg, NIAID  
  • Ercan Elibol, Florida Polytechnic University  
  • Richard Frovarp,  North Dakota State  
  • Eric Goodman, UCOP - InCommon TAC Representative to CTAB  
Mike Grady, Unicon 
Scott Green, Eastern Washington U 

  • Johnny Lasker, Internet2 

  • Kyle Lewis, Research Data and Communication Technologies
  • Andy Morgan, Oregon State University  

  • Andrew Scott, Internet2  

  • Rick Wagner, UCSD
Ann West, Internet2
Albert Wu, Internet2
  • Emily Eisbruch, Independent, scribe 


  • Meshna Koren, Elsevier
  • Kevin Morooney, Internet2



NIST 800-63-4 review 

    • Links:
    • CTAB should convene joint group with InCommon TAC (and possibly CACTI and others)
    • The review of NIST 800-63-4  is on the InCommon TAC workplan
    • Formulate coordinated response from InCommon community
    • Goal would be to produce reviewable content by end of February
    • Comments are due to NIST by March 24, 2023, series of spreadsheets must be filled in
    • Preliminary thoughts:
      • The issue of preferred names (lived names) is important. How necessary is “legal” name?
      • There are concerns about security within research. Identity  team deciding if ORCID  identifier is authoritative persistent identifier.
      • NIST is influential. Trying to use REFEDs to allow reasonable equivalent.  Submitting comments thru NIH channels. IAL1 is too strong.  REFEDs high is almost IAL2 , but not IAL1 (!!) 
      • It's about mitigating risk and how this will work as a tool for us, or not
      • NIST 800-63-4 is guidance, per its own FAQ
      • Part C, does it describe our federation?
      • There is a requirement to signal FAL level, but not an explain on how to implement that.
    • Next steps: read entire NIST 800-63-4 and then decide which part you want to focus on
    • DECISION: Tom Barton will lead a reading group of NIST 800-63-4 (likely weekly meetings). Albert will flywheel. Includes coordinating with InCommon TAC and CACTI. 

2023 CTAB Work Plan (continued from last CTAB call)

  • Workplan Item: Proposal to frame first item in work plan (formerly called XXX Readiness) as
    “Framing the next chapter of federation maturity”
    • It's not about compliance; it's about being helpful  
    • Concern this should be scoped more
    • Perhaps just do the review of what's available and then decide next steps
    • There is work in progress on many related areas, including
      • IAM practices - assurance, identity lifecycle management, account mgmt (linking, mapping, decorations)
      • data standards / use - schemas, entity categories, etc.
      • technical interoperability (SAML, SAML2Int, etc)
      • Security and operational practices
      • User experience / support
      • Others?
    • Suggestion of a deliverable for people new to federation to help them along, a welcoming document.
    • Comment: It would be helpful to have a way to signal items that are not applicable to an organization.

  • Workplan Item: Clarity on BE enforcements / operationalizing Baseline
    • What does it mean to follow Baseline Expectations, including SIRTFI?
    • See discussion below

  • Workplan Item: Assurance - next steps, rollout
    • Some overlap with previous workplan item
    • Revise Assured Access working group document  of May 2021 in light of RAF (REFEDS Assurance Framework) version 2 (to be released in 2023).
    • Can leave this one as a placeholder

Comments from Ann West

  •  Welcome to all new CTAB members
  • InCommon advisory group onboarding call is next week
  • Several work plan items will require operational support
  • Internally InCommon is working on Baseline Expectations compliance 
  • Would be helpful to get more detailed requirements 
  • Hope to get value back to community this year on these items
  • Please prioritize items 2 and 3 in work plan


    • What should we do about entities not explicitly asserting SIRTFI adherence?
    • See background in CTAB notes of Nov. 15, 2022
    • Steering decided to not remove from InCommon those who are missing BE only because they did not explicitly acknowledge compliance with SIRTFI.

    • More work is required to clarify what that entails, and what, if any, measures Federation Operator needs to put in place to ensure SIRTFI compliance

    • As we look at tools for maintaining / updating metadata, including fresh contacts, etc. we can require organizations to self assert compliance w SIRTFI
    • This could be a compromise with the current lack of enforcement with SIRTFI requirement of baseline expectations
    • Comment: this sounds like a good compromise

    • SIRTFI Exercise Working Group
      • Kyle: soon we need to get out a volunteer note for a new SIRTFI exercise Working Group
      • Last time it was kicked off in December 2021; Albert will work with Kyle on this

Other Working Group Updates

  • InCommon TAC (David Bantz): worked on report of 2022 achievements and draft 2023 work plan:
    • Federation testing strategies
    • Adoption SAML Deployment Profile and Subject Identifiers
    • Future of Federations and Digital Wallets (joint CACTI)
    • “Middlethings”
    • InCommon use of Anonymous, Pseudonymous and Personalized Entity Categories
    • NIST 800-63 rev 4 (joint CTAB)

Next CTAB Meeting: Tuesday, Feb. 7, 2023

  • No labels