CTAB Call Nov 12, 2024

Attending

Warren Anderson, LIGO  
Pål Axelsson, SUNET  
Tom Barton, Internet2, ex-officio  
Gabor Eszes, Univ of Virginia (rep from CACTI)  
Richard Frovarp,  North Dakota State  
Mike Grady, Unicon   
Scott Green, Eastern Washington University  
Johnny Lasker, Internet2  
Kyle Lewis,  Research Data and Communication Technologies  
Ryan McDaniel, University of Alaska Anchorage  
Jon Miner, University of Wisc - Madison (vice chair)
Kevin Morooney, Internet2  HERE
Ann West, Internet2  
Albert Wu, Internet2  
Glenn Lipscomb, Internet2
Romy Bolton, Internet2
Meredith Lovelace, Internet2 
Emily Eisbruch, Independent, scribe

Regrets:

David Bantz, University of Alaska (chair)  
Matt Eisenberg, NIAID 
Ercan Elibol, Florida Polytechnic University 
Christopher Keith, Brown University
Rick Wagner, UCSD
Kathy Wright, Clemson, InCommon TAC rep to CTAB

Discussion

• Intellectual Property Reminder  - All Internet2 activities are governed by the  Internet2 Intellectual Property Framework.

• Public Content Notice  - CTAB minutes are public documents. Please let the CTAB and note taker know if you plan to discuss something of a sensitive nature.

Working Group  Updates

• Assured Access Working Group v2  (AAWG)

• •  work continues 

• SIRTFI Exercise Planning Working Group

• • SIRTFI Exercise is next week. 15 organizations participating, will run for 3 days

• • Different "stories" for different participants
  • Proxies:
    • Q: Any special attention to proxies in the exercise?
    • A:  SPs and IDPs, but no focus on proxies
    • Perhaps it’s worthwhile to talk to the SIRTFI group about the proxies topic
    • There are special things the proxies should think about
    • Proxy will need to sort out what’s behind the curtain
    • Signaling protocol 
    • Last year there was an entityID used that had a vendor contact as security contact.  
    • TomB: The AARC project and WISE working group have put out guidelines that can be adopted
      • Snctfi – AARC I Authentication and Authorisation for Research and Collaboration
  • As a community we are barely scratching surface of awareness of SIFTFI
  • Kyle does a lot of orientation
  • How do we actively notifiy a security contact that is published to let people know they have been “signed up” to be a security contact  ? 
  • CTAB should get an update from Johnny or Albert around operationalizing baseline expectations
  • Johnny: InCommon operations is currently figuring out requirements for how to react to the findings 
  • How to notify people, how to feed into annual attestations
  • Inc-ops-notifications for site admins and others
  • How well are we reaching site admins?
  • Twice a year we send for a health check
  • Then update Federation Manager with findings
  • The process is manual at this point
  • Could apply the process to security contacts
  • For a future CTAB Agenda: Jon Miner will include on the agenda an update on operationalizing baseline  
    
    
• CACTI:
  • CACTI Cryptographic Evolution Working Group (CEWG)
  • Recounting updates from Next-Gen Credentials Trust Frameworks WG
  • Recounting updates from Internet Identity Workshop (IIW)
  • Charter approved for new WG:
  • Position paper: CACTI Recommendation on Use of OpenID Federation
    
    

• InCommon TAC

• InCommon TAC went round the table and did an extended update from TAC working groups 
  • Have pretty good guidance about IdPs. 
  • SP guidance is still a little sprawling and needs clearer documentation (and summarization). 
  • Migration guidance probably could use review. 
  • Not ready for publication yet. 
• Federation Proxies WG - Report is still being finalized. Focusing on “trust impacts” vs. “type of federation proxy” elements in the report. Expect to open feedback during ACAMP.
• Subject Identifier Deployment WG 
• Federation Readiness Check - Work in progress published at https://irtnog.github.io/good-idfed-practice.

• InCommon Interoperability Expectations Planning Working Group

• • See report below 
    
    

InCommon Branding / Messaging (Ann/Meredith/Glenn/Romy)  

• Meredith Lovelace, Senior Director of Digital Experience at Internet2

• Glenn Lipscomb, Assoc VP for Marketing and Events at Internet2

Developing an effective messaging strategy for InCommon has been a standing request. Recently, Internet2 engaged an agency to help us with the overall InCommon messaging.  

We are now asking our “family” community to review these messages and ask that you use them in your organization and/or at TechEx where it makes sense and share your feedback in the CTAB slack channel. For an overview and the actual messaging we are asking you to use, see the slide deck that Ann presented on the call: 

https://docs.google.com/presentation/d/1EJt3m-9xgnGyQteer5H0YYjijkkN7NYr/edit?usp=sharing&ouid=104671983115744962794&rtpof=true&sd=true

These messages were informed by the InCommon Futures2 work. 

• • • Show how InCommon is different from other solutions
    • Clarity, articulation
    • Don’t want people reinventing the wheel 

There will be a small brand reveal at TechEx

• • • We ask that CTAB members try out this messaging with folks 
    • Provide feedback in the CTAB slack channel
    • Spring 2025 will be official flip to new InCommon messaging

Q: In differentiating from competitors, who are the competitors?
A: Vendors, and other community orgs, 

Comment: InCommon is a trust broker, would be good to add this to the rebranding
Good feedback: We will be adding more details around the InCommon federation value proposition when we get to that point. 
Comment: In terms of moving to a focused, positive messaging, it’s a good refresh

InCommon Expectations Planning WG progress

• [google drive folder] [charter]

• Going well, there is a broad consensus on what this effort is, and how to proceed.
• Will prepare a quick brief for TechEx and an essay/blogpost
• Will create process to work on intake of recommendations
• Issue tracker
• As topics come up for discussion in the community
• They don’t always receive the attention that might be warranted 
• Some topics fall off the radar for a while
• Machinery to keep track of topic area in a process
• Status might be: Intake, discussion, discovery, tabled
• If we chart potential topics, you can arrange in many dimensional field
• Different topics are relevant to different audiences
• Working group will develop the process 
• Current working group hopes to hand this off eventually to another body
• Focus on at most 5 topic areas for discussion
• Rank them on whether it’s guidance or best practice
• Supply the necessary info to express what we expect for InCommon participants
  
  
• Q: how do you measure success?
• Things that advance to level of expectations should be things that can be measured
• Measurement may be through automated methods
• Others may need self attested questionnaire
• Considering notion that a lot of things that are attested today are attested in ways that are out of band
• Understanding we could gain benefit by prescribing additional mechanisms of signaling 
• Need to lean more into signalling
• Protocol like ways of exchanging info
• Try to formalize a lot of what is already happening in the community
• Currently there are several advisory groups discussing topics, chartering working groups
• What is not represented currently is a way for an interested party to peek in and see what the community is doing about a certain topic
• Question was asked, is this too meta
• This is a bit meta but it manifests at different levels
• Big process
• Also will impact very specific topic areas
• Process impacts both the large and the small
• Refining existing practice
• Adding transparency and trackability of topics being considered by the community

Not Discussed on this call

TechEx 2024: https://events.internet2.edu/website/69276/home/

Joint CTAB/TAC at TechEx   - who will be at the joint meeting?

Sidebar - TechEx Tuesday AM Presentation Abstract

Submitted by chair and added to TechEx program 5 Nov

Title – Scalable trusted access: Sirtfi and InCommon Expectations

Two initiatives from the InCommon Trust and Assurance Board (“CTAB”) will discussed that aim to facilitate scalable trusted access to information resources: 1 – “table top” exercises implementing the Security Incident Response Trust Framework (Sirtfi); and 2 – a process for adopting common practices among InCommon participants for greater trust, scalability, and interoperability.

A second round of “table top” Sirtfi exercises is underway, with 15 diverse institutions participating in simulations of security incidents that will trigger use of the protocols defined by SIRFI. Lessons learned will be used to enhance responses in case of actual need.

The InCommon Interoperability Expectations Planning Working Group aims to extend the Baseline Expectations for Federation participants by identifying new, voluntary expectations for supporting features and practices that enhance interoperability across identity providers and service providers.

Additional expectations, while not mandatory, will standardize key configurations and behaviors, reducing the need for custom solutions and fostering efficient, scalable operations. By providing clear technical guidance, the Working Group seeks to streamline federation processes for both federated and bilateral integrations, and to define metrics for assessing compliance and success.

Expectations will be driven by needs and opportunities identified by the InCommon community. The presenters will introduce InCommon Expectations and seek your input on this new “expectations” process and potential new “expectations.”

Next CTAB call: Tuesday, November 26, 2024