CTAB Call October 15, 2024

Attending

Warren Anderson, LIGO  
Pål Axelsson, SUNET  
David Bantz, University of Alaska (chair)   
Gabor Eszes, Univ of Virginia (rep from CACTI)   
Richard Frovarp,  North Dakota State 
Kyle Lewis,  Research Data and Communication Technologies 
Jon Miner, University of Wisc - Madison (vice chair)  
Mike Grady, Unicon 
Johnny Lasker, Internet2 
Tom Barton, Internet2, ex-officio 
Rick Wagner, SDSC/UCSD   
Kevin Morooney, Internet2
Albert Wu, Internet2 
James Cramton, Internet2 
Emily Eisbruch, Independent, scribe

Regrets

Scott Green, Eastern Washington University
Christopher Keith, Brown University
Matt Eisenberg, NIAID 
Ercan Elibol, Florida Polytechnic University 
Ryan McDaniel, University of Alaska Anchorage
Kathy Wright, Clemson, InCommon TAC rep to CTAB
Andrew Scott, Internet2
Ann West, Internet2 

DISCUSSION

  • Intellectual Property Reminder  - All Internet2 activities are governed by the  Internet2 Intellectual Property Framework.
  • Public Content Notice  - CTAB minutes are public documents. Please let the CTAB and note taker know if you plan to discuss something of a sensitive nature.

James Cramton Intro

  • James Cramton, Internet2,  Trust and Identity Industry Relationship Manager
  • Working with Internet2 Catalysts and sponsored partners
  • Experience in Higher Ed and beyond
  • Used Mace-Grouper at Brown University years ago
  • Here on CTAB call to listen/learn

InCommon Interoperability Expectations Planning working group  

  • Regular meetings have been scheduled for the next few weeks
  • Three two-hour meetings are planned prior to Tech Ex in December
  • Next meeting is Oct 24 at 2pm Eastern
  • Thanks to Gabor for stepping up as chair
  • Albert is sponsor and flywheel
  • Still open to additional participants
  • Info and meeting info at: https://spaces.at.internet2.edu/display/ctab/iiepwg

CTAB planning / workplan


- Defining InCommon Expectations (beyond WG sponsorship) - analogy is Baseline Expectations
- Testing / metrics tools to demonstrate compliance
- Generalizing Trust in InC (OIDC+SAML) [e.g., attribute mappings]

  • Albert: 
    • 2025 will be an important year
    • The community is ready to take the InCommon Federation to the next level
    • Increased emphasis on security and attention on compliance
    • CTAB has a key role in helping the federation community make the transition to what’s required for the future 

  • David
    • Some challenges are not intrinsically difficult but we lack an interoperable approach
    • We need to adopt conventions
    • How do we do a better job at the consensus process?
    • Too many choices can be a problem
    • What are reasonable defaults?
    • A few years ago we sent out a survey for a 2nd level of Baseline Expectations, including TLS and more
    • Should we do another round of survey?
    • Or is there a better way to build consensus?

  • Gabor:
    • How big is gulf between set of folks and institutions who actively participate in the sausage making, (such as participating in working groups and other bodies) and those who don’t participate in the decision making? 
    • What percentage of institutions send a representative to an elected body or a work group in InCommon out of the set of all institutions?
    • Concern that the footprint of institutions participating in the discussions is a very small subset of all member institutions
    • Leaves us with an awkward choice to use the term consensus

  • Kevin:
    • In trust and identity we have 75 people in standing advisory bodies,
    • About 70 institutions
    • 1000 participants in the Federations
    • Internet2 network, Middleware and Net+ were founded by about 35 institutions
    • Research institutions, public and private, with medical centers
    • Trickle down from the needs of the most complex institutions seems to work

  • Gabor:
    • Are the needs of the 90% of institutions that are less active the same or compatible enough with the 10% that are participating? (Numbers approximate)
    • So far the answer seems to be yes
    • But as we look at possibly increasing requirements
    • Arriving at a smaller set of preferred answers for difficult questions, will that still hold true?

  • Kevin:  
    • There is a variance in how risk is assessed and tolerated

  • Pal:
    • We are seeing less participation
    • Federation is not new, it is mature and it works pretty well
    • So people are not jumping in to make changes
    • Good news: a new REFEDs working group on use of eduperson in the wallet got 20 people participating

  • David:
    • Some institutions participate very little
    • If we tease out from them what their pain points are, this could be helpful and beneficial

  • Kyle:
    • Our touchpoints are the IAM teams
    • What is solved is things the IAM teams could handle
    • Harder problem is when IAM team can't solve an issue on their own
    • Then it depends how well the IAM team is plugged in
    • Seen with identity proofing, some issues IAM teams will not be able to solve without discovery or going to HR
    • Also with SIRTFI, there are cases where the receiving party does not know about SIRTFI
    • How do we help teams communicate and market?
    • So they can talk within or leverage their institutions to solve the problems?

  • Warren:
    • Was at NSF Cybersecurity summit last week
    • Identity (knowing where credentials come from) was described as the problem the security teams must deal with
    • Could try to foster meetings or conferences to combine IAM and security groups

  • Tom: 
    • In designing wallet architecture, attribute authorities may not have been considered, credential issuers (Assoc of colleges, Assoc  of doctors)
    • attribute authorities may not issue authentication credentials
    • This can become an issue
    • based on recent review of of SP 800-63-4 draft there are things the federation operator might provide as infrastructure to participants willing to use them
    • Trust Agreements
    • Needs some working out 
    • Several parties, including federation operator, will spell out behaviors, things of interest to manage risk associated with using federation
    • There are some things the federation can be authoritative for
    • It’s related to Baseline Expectations but without requirement to adopt
    • This is connected to how CTAB can help InCommon evolve

  • Mike:
    • Need to focus on education and examples, a better set of materials
    • For example, explaining why expectations are important to a community college
    • Re security and risk assessment, there is a lack of examples in our materials

  • Albert: Agreement we need to focus on education to various audiences and levels
    • Also technology is changing

Face to Face at TechEx24 in Boston  https://events.internet2.edu/website/69276/home/

  • TAC and CTAB will have a combined  session
  • Need to plan the agenda
  • Keith W , TAC chair, not able to attend TechEx
  • Albert suggests an agenda to include
    • Intros
    • Coordinating efforts heading into 2025
    • Focus on InCommon Expectations
    • Overlap with TAC Federation Readiness Working Group, previously called Federation Testing
    • Testing Tools
    • TAC working on deployment guidance
    • Need a statement about “this is what we expect you to do”

    • Agenda item: how to make the efforts work together in complementary fashion

  •  Europeans are working out how OpenID Federation will work into our ecosystem
  • We need to educate ourselves on technology changes and federation.
  • Albert will set up a meeting with Keith to talk about agenda for Tech Ex combined session.


Working Group Updates

    • InCommon Steering [db]: developing formula for pricing Certificate Service tied to inflation
    • InCommon TAC [db]: 
      • extended discussion of Device-level security in context of wallets conveying identity and attributes; a small group intended to develop a 1 page problem statement
      • Federation Proxies WG to provide a document for distribution and bring to Advance Camp @ TechEx24
      • FedCM WG intends to publish a draft standard “quickly”; some churn as vendors revise and/or retrench their browser profiles; impact on SSO not definitively known

    • SEPWG  - - 15 organizations signed up; next week is the communications check with their published security contact

    • Assured Access Working Group v2   - work continues; we’ve moved into remote proofing guidance; rough estimate work is 70% complete

    • CACTI
      • nearly all community outreach subgroups have published their final report
      • New position paper with regard to exploring the use of OpenID Federation. An effort (maybe WG?) will be spun up to explore this topic.
      • Proposed charter for CACTI Cryptographic Evolution Working Group has been approved. Will move forward and result in this new WG to explore cryptographic agility in core federated auth protocols relevant to InCommon. 

  • Next CTAB Call: Tuesday, October 29, 2024
  • No labels