CTAB Call Sept. 5, 2023
Attending
Warren Anderson, LIGO
Pål Axelsson, SUNET
Tom Barton, Internet2, ex-officio
Matt Eisenberg, NIAID
Richard Frovarp, North Dakota State
Eric Goodman, UCOP - InCommon TAC Representative to CTAB
Mike Grady, Unicon
Johnny Lasker, Internet2
Jon Miner, University of Wisc - Madison (co-chair)
Andy Morgan, Oregon State University
Andrew Scott, Internet2 HERE
Rick Wagner, UCSD HERE
Albert Wu, Internet2
Emily Eisbruch, Independent, scribe
Regrets
David Bantz, University of Alaska (chair)
Ercan Elibol, Florida Polytechnic University HERE
Scott Green, Eastern Washington U
Meshna Koren, Elsevier
Kyle Lewis, Research Data and Communication Technologies
Kevin Morooney, Internet2
Ann West, Internet2
DISCUSSION
- Internet2 Intellectual Property reminder
- Agenda Bash
NIST
- NIST has released this which may be of interest:
- NIST IR 8481 (Initial Public Draft)
- Cybersecurity for Research: Findings and Possible Paths Forward
- https://csrc.nist.gov/pubs/ir/8481/ipd
- NIST has not yet provided a reply to our input to the NIST 800-63 Rev 4 consultation
Working Group updates
- REFEDs Assurance Framework
- MFA group meeting again (after Europe’s Summer hiatus)
- Group is reviewing input from the consultation
- MFA group meeting again (after Europe’s Summer hiatus)
- SIRTFI Exercise Planning Working Group - no update
- CACTI
- No meeting last week
- No meeting last week
- InCommon TAC
- Eric shared a presentation that discussed “SaaS vendor IAM issues” (and how SaaS vendors’ views of IAM differ and conflict with the R&E mesh fed model). Then TAC had a general discussion of the topic and implications.
- Discussion of plans for TechEx (esp. F2F meeting)
- Update TAC’s work on Access entity categories
- Subgroup working on deployment guidance for SAML 2 Int deployment profile
- Then combined w deployment guidance work for access entity categories: anonymous, pseudonymous, personalized
- Will present at TechEx in session with Pal
- Clarifies how InCommon should use the categories
- Group has recommendation on details around scoped affiliation, and what the values should mean
- Will at some point touch on how to transition to subject identifiers
- To promote adoption of the identifiers
- Converges with CTAB’s discussion on entitlement
- Question on personalized category, what about entity support category?
- Need transition guidance from R&S
- Albert: yes, the group is aware of this and need for guidance
- The hurdle will be getting community support for Subject ID (pairwise and general purpose),
- widespread IDP support is needed for this or it won’t take off
- Managing Change in Federation
- The federation has repeatedly faced the issue of how to get adoption of a new standard
- Pushing too hard we break things, not pushing hard enough there is lack of momentum
- TomB: we moved away from older certs, we transitioned from SAML1 to SAML2
But with subject ID, we don’t have the situation where old subject ID is “bad”, we don’t plan to include subject ID change issue into baseline expectations. - Concern about interoperability with global federation community regarding handling of subject ID
- Connects with the InCommon futures discussion
- The federation has repeatedly faced the issue of how to get adoption of a new standard
- Question: where do we stand on updating InCommon Federation contact info?
- Albert: we are in final development for a set of enhancements in Federation Manager and related tooling. Developing ability to automatically ping contacts. This is part of implementing operationalizing baseline group from earlier this year. It's about periodic attestation.
- Subgroup working on deployment guidance for SAML 2 Int deployment profile
- Eric shared a presentation that discussed “SaaS vendor IAM issues” (and how SaaS vendors’ views of IAM differ and conflict with the R&E mesh fed model). Then TAC had a general discussion of the topic and implications.
- REFEDs Assurance Framework
Update on “This Old House”
- John Krienke, Internet2 and Albert have developed the This Old House document
- Looks at gaps in today’s InCommon federation structure and recommends changes
- InCommon's structure was developed when the InCommon federation was smaller
- Entities now participate in InCommon federations in new ways
- For registration of metadata, we are not engaging enough with the application teams, becomes a support issue and a visibility issue
- Issues around cloud architecture – InCommon federation needs to adapt
- Need to be able to delegate [entities] to a cloud vendor
- Currently, InCommon federation requires sponsorship for a non higher ed entity to participate
- Looking at changing concepts of InCommon Exec and Site Admins
- Sub orgs in federation manager are now used as a work around, we need to take the structure and formalize it (for sub groups within an organization)
- for example, if a computer center wants to manage its own SPs.
- for example, if a computer center wants to manage its own SPs.
- Similar to how eduroam works
- May take a look at participation categories of InCommon
- The recommendations will impact the InCommon Participation Agreement
- There is a connection with the middle things work, looking at proxies.
- IDP as a Service program also impacts this work, it’s a 3rd party handling metadata on behalf of an org
- InCommon Steering will review the This Old House report at their Sept 2023 meeting.
- If “This Old House” report gets preliminary approval from InCommon Steering, there will be more development of the details. CTAB will be asked to assist
- John Krienke, Internet2 and Albert have developed the This Old House document
TechEx 2023 https://internet2.edu/2023-internet2-technology-exchange/
- CTAB members attending TechEx include:
- Andy M
- Johnny L
- Warren A
- Pal
- Tom B
- Richard F
- Jon M
- Andrew S
- Andy M
- TechEx CTAB F2F agenda (12:30-13:30 Tuesday)
- Agenda for CTAB F2F meeting at TechEx
- Review 2023 Work Plan (to date and remaining year)
- Latest on SIRTFI Exercise
- Update on Operationalizing Baseline Expectations next steps
- REFEDs Assurance Framework 2.0 (see Wed Kyle session)
- NIST 800-63-4
- “Who moved my authz cheese?”
- Looking ahead to 2024 Work Plan -> what is our focus?
- Recruiting for new CTAB members
- Review 2023 Work Plan (to date and remaining year)
- Agenda for CTAB F2F meeting at TechEx
- Note on CTAB recruitment
- 4 CTAB Members have terms ending in Dec 2023
- about half of CTAB member’s terms expire in Dec 2024
- 4 CTAB Members have terms ending in Dec 2023
- Outline for Scalable Trusted Federation Session (co-presentation between TAC and CTAB - 11:20-12:10 Wednesday)
- Timing
- 20 min CTAB updates - goal is to describe what we are doing to enhance trust in federation
- 20 min TAC updates
- 10 min
- 20 min CTAB updates - goal is to describe what we are doing to enhance trust in federation
- Talking Points
Set context -> themes- maturing BE practices from BE1 and 2: Operationalizing BE; SIRTFI Exercise
- Tracking IAM standards changes - NIST / REFEDS Assurance
- Looking ahead to the future of improving trust and interoperability in InCommon
- maturing BE practices from BE1 and 2: Operationalizing BE; SIRTFI Exercise
- Review 2023 Work Plan progress
- Next on deck: Deployment Guidance for RAF2; Who moved my authz cheese (moving beyond “authentication”)
- Call for participation - join CTAB; participate in WG
- Suggest ACAMP topics to dive into details
- Timing