CTAB Call Tuesday June 13, 2023

David Bantz, University of Alaska (chair) 

Jon Miner, University of Wisc - Madison (co-chair) 
Tom Barton, Internet2, ex-officio  
Warren Anderson, LIGO 
Richard Frovarp,  North Dakota State  
Eric Goodman, UCOP - InCommon TAC Representative to CTAB    

Mike Grady, Unicon 

Johnny Lasker, Internet2  
Kyle Lewis,  Research Data and Communication Technologies 
Kevin Morooney, Internet2 
Emily Eisbruch, Independent, scribe  

Pål Axelsson, SUNET
Matt Eisenberg, NIAID  
Ercan Elibol, Florida Polytechnic University
Scott Green, Eastern Washington U  
Meshna Koren, Elsevier

Andy Morgan, Oregon State University

Rick Wagner, UCSD
Andrew Scott, Internet2  

Ann West, Internet2  

Albert Wu, Internet2   

For Reference: InCommon CTAB 2023 Work Plan


Working Group updates

    • InCommon TAC 
      • Discussion of Microsoft’s “Federation Ready” documentation
      • Review of draft documentation related to supporting Entity Categories (Anonymous, Pseudonymous, Personalized) and the updated saml2int profile
  • REFEDs Assurance Framework (RAF):  (Kyle)
    •  Consultation of RAF 2.0 is open until July 26, 2023 https://wiki.refeds.org/display/CON/Consultation%3A+REFEDS+Assurance+Framework+%28RAF%29+v2.0
    • Overview:
      • Over the last two years, the REFEDS Assurance Framework (RAF) Working Group has updated the framework from RAF 1.0 to RAF 2.0. The reason for the change was two-fold:
        (1) to tighten the definitions of many claims based on field experience with RAF 1.0 (the original RAF), and
        (2) to provide a single set of criteria defining the Identity Assurance Profile (IAP) claims of low, moderate, and high, avoiding the need for the CSP to refer to one of several external standards and also reducing the ambiguity faced by Relying Parties who wish to have a clear understanding of what each IAP claim actually means.
    • Focus on risk-based identity assurance
    • Old framework version is not fully upwards compatible
    • New framework is backwards compatible 
    • Versioning is handled like SIRTFI did
    • If this framework is mostly left intact after the public consultation, the new IAP High will be closer to NIST IAL 2. Gaps were mostly eliminated
    • Public feedback for 2 months, until July 26, then working group will  reconvene
    • Kyle will  present at TechEx 2023
    • Hope this is live by end of 2023
    • Going back to CTAB’s work plan, (item 5 on Assurance - next steps, rollout) we see why the guidance from the Assured Access working group, from a few years ago, needs updating
    • RAF 2.0 provides more concrete implementation guidance 

Operationalizing Baseline Expectations

      • Final summary report is available https://docs.google.com/document/d/1pjvrkoyAF1P5HNAcwcN5Z1wMzBz6LlbRirb5wKemYak/edit 
      • Good working group, excellent participation
      • Met biweekly over the course of several months
      • Started with a spreadsheet Warren had assembled on operationalizing Baseline Expectations
      • Spent several meetings discussing general philosophical principles on operationalizing baseline
      • For example,
        • DON'T want to be overly prescriptive with script enforcement and penalties for non compliance
        • DO want good lines of communication between participants and InCommon; Strong emphasis on cooperation 
        • InCommon should offer to help the participant if  a lapse is found.
        • No single person is likely to be able to assert all elements of baseline expectations, authority at multiple levels needed
        • Timeliness versus having enough time for orgs to respond and InCommon to process;
        • Generally,  semi annual assertions likely make sense
        • Utilizing federation manager to communicate makes sense
        • There are general procedural suggestions for how to operationalize, but the details of implementation are best left in hands of InCommon operations staff
      • DavidB: hope to hand this off to the InCommon operations staff with the understanding that some elements may be challenging given the existing technology
      • Johnny: this Operationalizing Baseline Expectations document provides helpful guidance for the InCommon operations staff.
        Currently, the emphasis is on automating detection of anomalies. 

      • Kevin:
        • big message is that baseline is good and we should continue with it, but there is also an acknowledgement that it is not easy.
        • This is a good message for InCommon Steering and for the community.
        • We are testing the will of the participants and signaling the need for constant improvement.
          The collective desire for federation to get better 

      • Long-term strategy for reminding  the participants that federation is not one and done. 
      • We need to do the communications work.
      • Should this be considered a living document?
      • We are finding out answers as we go.
      • This is a summary report of what happened in the meetings
      • CTAB Voted to accept the Operationalizing Baseline Expectations report
      • This will be a public document
      • Should this document go in the Trust and Identity document repository?  Not sure

      • Next steps: send this document to InCommon Steering
      • Not for a vote of steering , but to ask InCommon Steering to reflect on this
      •  Perhaps CTAB chairs and Warren will come to InCommon Steering in August 2023, given schedules 

Maturing Federation Brainstorming (not discussed on today's call)

Next  CTAB Call: Tuesday, June 27, 2023

  • No labels