InCommon CTAB 2023 Work Plan

This is final version of the InCommon Community Trust and Assurance Board's 2023 work plan. 

If you would like to comment on any of the items, please add a comment to the wiki page. Note that you need to sign into Confluence in order to edit or leave a comment.Lastly, if you have a work item you'd like to propose but aren't comfortable using the wiki editor, enter it in the comments at the bottom of the page.

(Working document of this work plan in Google Doc)

Active 2023 Work Plan Items

1. SIRTFI Exercise Planning Working Group (SEPWG)Summary


Renew the SEPWG charter with a fresh call for volunteers to organize, design, plan and execute a cybersecurity cooperation exercise and/or other training/practice opportunities for InCommon member organizations (entities).

Format, Requirements, Duration

SEPWG work plan includes:

  • Assemble volunteers to conduct a cooperative cybersecurity training event
  • SEWPG will determine what kind of event or events should be conducted this year based on feedback from last year’s events
  • Goal to complete and present at TechEX; however, given TechEX’s earlier time this year, may provide status on work so far, with a view to conducting events after TechEX
  • Final report to CTAB expected by end of year with recommendations for next year

+1 / Interested Parties

  • Kyle Lewis (Convener)
  • Warren Anderson

♦ ♦ ♦ ♦ ♦

2. NIST 800-63 Rev 4 consultation - review and feedback


NIST has released the 4th revision of the NIST 800-63 series (Digital Identity Guidelines) of documents for public consultation: 

Proposal: convene a cross-committee group to review these documents relative to R&E federation needs/practices and provide feedback.

The consultation concludes on March 24 2023. 

Format, Requirements, Duration

Cross-committee task force?
- TAC work plan includes 800-63v4 review
~ reading group(s) section by section

  • Convene group
  • Assign reading/review tasks
  • Draft responses
  • Submit a response (together as a community, or separately?)

Need to complete feedback draft by end of February 2023 to allow InCommon leadership to review before response submission.

+1’s / Interested Parties

♦ ♦ ♦ ♦ ♦

3. Clarity on BE enforcements / operationalizing Baseline


How do we measure ongoing adherence?  … and what do we do with what we measure?

Technical Measures (InCommon):

  • Metadata accuracy - key contacts, URL, etc
  • Contacts management / checking
  • Endpoint encryption technical process 

Process / Procedure: (CTAB)

  • Process/procedure for escalation and timeframes.
  • SIRTFI  adherence if explicit attestation is not required?
    • How do we handle people who do not assert SIRFTI in the face of a (perceived?) reluctance to "throw them out" (and/or the understanding that the POP requires them to do it?)
  • TLS dispute resolution adherence and dispute resolution (what triggers dispute) - BE TLS Proposal

Format, Requirements, Duration

Operational subgroup to implement and/or consult on guidance embodied in the doc cited above.

Expected Outcome:

  • Guidance to InCommon on technical tooling and other changes
  • Enhanced documented automated processes at InC to monitor and document adherence
  • Resolve discrepancy between SIRTFI requirement and Steering decision not to enforce

+1’s / Interested Parties

  • Warren Anderson (Lead)
  • Andy Morgan
  • Tom Barton
  • Richard Frovarp
  • Scott Green
  • Kyle Lewis
  • Ercan Elibol
  • David St Pierre Bantz
  • Johnny Lasker

♦ ♦ ♦ ♦ ♦

Candidate Work Plan Items 

These items are candidate CTAB work plan items. CTAB will review each and schedule them to start as active workplan items complete in 2023.

4. Framing the next chapter of federation maturity


(This is the start of the “Federation Readiness” arc)

Baseline Expectations has been an important mechanism to sustain and grow trust in federation. As we approach the 5th anniversary of Baseline Expectations (InCommon transitioned to BE in June 2018, it’s a good time to reflect on our accomplishments and importantly, what we can do differently to accelerate/improve trust, interoperability, and value in Federation. 

Among the BE deployment observations:

  • Our community does respond to call for improved trust, security, and interoperability… 
  • Many need clearer, more precise guidance: “just tell me what I need to do and how”
  • Participant admins aren’t necessarily technologists anymore. They rely on solution providers. Asking operators to translate/relay technical change needs to solution providers doesn’t scale well. 

While BE continues to be an integral part of sustaining Federation trust, its “all or nothing” compliance approach takes time (too much time), and can only address the minimum common elements of trust and interoperability. We need ways to address trust and interoperability needs applicable to major subset of federation communities. We need clearer and more defined descriptions of “the right way to do x” in Federation so that our stakeholders can build “federation readiness” into their longer range planning roadmap. 

Providing a helpful “maturity roadmap” for participants and solution providers to build toward can be a good way to answer the question: “what do I need to do to be compatible with InCommon?” 

Truly successful, seamless integration in InCommon requires effort in multiple areas. Do we know what those are? Do we have a way to provide guidance to our community of the direction we are heading so that they can plan? Do we provide enough helpful guidance so that newcomers can learn and measure success in their own work (and to not reinvent the wheel in a vacuum)?

This topic is broad and deep. We are not going to solve all of it in one go. I am proposing that CTAB convenes a group to examine, at a high level, the dimensions of federation interoperation and recommend actions to drill down into important ones for subsequent work. 

Potential dimensions important to trust in federation interoperation:

  • IAM practices - assurance, identity lifecycle management, account mgmt (linking, mapping, decorations)
  • data standards / use - schemas, entity categories, etc.
  • technical interoperability (SAML, SAML2Int, etc)
  • Security and operational practices
  • User experience / support
  • Others?

Proposed By

Albert Wu

Decision regarding moving forward

CTAB to pick up this item as active items concludes.

Format, Requirements, Duration

Time boxed working group (6-8 months; with intend to publicly review draft report by TechEx in September) to identify key challenges and opportunities in various dimensions of federation interoperation:

  • Produce report to describe these findings: why they are important; risk if not addressed; opportunity if addressed well
  • Recommend next step actions
  • Document for audience of new R&E Federation organization/service
  • Consider ways to designate or advertise self-assessed ‘maturity’ in different dimensions

+1’s / Interested Parties

  • David Bantz (Convenor/Lead)
  • Albert Wu 
  • Ercan Elibol


Chris Phillips from CANARIE is also interested. 

More ideas for the group to ponder: 

  • Inventory existing attempts to define maturity / readiness, including IDPro
  • Revise previously developed IAM Maturity Model or IDPro materials or similar with the goal of identifying what operators should focus on if they want to be trustworthy members of the federation.
  • Commercial vendors want this: “Checklist” for service providers: is your service ready for federation
  • Newcomers (including new staff at an established InCommon participant school) want this: “Checklist” for identity providers; are you able to meet SP’s assurance needs?
  • Compliance check or self-asserted compliance with a standard
  • Checklist for IdP and/or SP proxy operators, if we can figure out the proper way to identify these cohorts.

Background from the 2022 proposed group to examine Future of Federation Policy Making to improve trust and interoperability:


Review lessons learned from BE to date; investigate emerging trends/needs; propose how BE should evolve next, both in content and in format. Specifically consider lessons learned: ways to increase assurance and interoperability as ‘opt in’ or aspirational specification. 

Potentially describe scenarios, profiles, standards, or recipes for enhancing IdP and/or SP to meet needs of, say, an R1 or a community college, presumably including implementation of MFA signaling or attribute bundling for R1, not CC. 


  • Take a step back to look at BE program and assess; what alternatives to “everyone is required to…” might also increase interoperability and assurance?
  • Inventorying what we have and work on how they relate.  Catalog them.
    • Eg, how does RAF relate to SAML2Int?
  • Report on results of BE2 - how many entities failed to meet BE2, how long did various adoption points take, why did some entities fail?
  • Develop vision/goals for assurance and interoperability BE and other possible models?
  • We want to scope this to deliverable outcomes, preferably around how policies and policy making can improve trust and interoperability in current federation model
    • This may include policies that don't apply to all members, but do apply to members of a certain sort or those who engage in some activities.  (eg, you don't have to do MFA, but if you do, you must support proper signaling)
  • Look back to base assumptions that we aren't articulating so that we can bring ourselves back to where we started and assess
    • Creating a place to start so that new people aren't as lost.
    • "Back to the basics"
    • Making technical details more accessible (or making things less technical), how-to documents for integrating IdP and SP products (Conflict / mismatch between the highly technical and SAML-oriented vs off-the-shelf and vendor integrations?)


  • Future federation model is longer range, less constrained by InC and out of scope for this work; should be pursued separately and widely
  • Set concrete timebox for work group duration (less than 1 year) - deliver outcome in time to ready to present at 2022 CAMP
  • Eg: if you are communicating something defined in eduPerson, you must use eduPerson attributes.  (Eg, scoped username will be in ePPN.)
  • WG desperately needs participation from SPs and Research proxy services

♦ ♦ ♦ ♦ ♦

5. Assurance - next steps, rollout


Continuing our work on Assurance and NIH requirements, ensuring the community is aware of movement in the area.

Identity (attribute) Assurance or Authentication Assurance?

Does this include MFA vs Strong authentication?

Decision regarding moving forward

Hold pending release of REFEDS Assurance Framework 2.0; revisit 2nd half of 2023. 

Format, Requirements, Duration

Operational subgroup to implement and/or consult on guidance embodied in the doc cited above.

Expected Outcome:

  • Enhanced documented automated processes for organizations (& InC?) to monitor and document adherence to IAL levels
  • Revise Assured Access WG document in light of RAF version 2 (to be released in 2023).
  • Ensuring alignment with NIH requirements, updating Get NIH Ready et al.

+1’s / Interested Parties

  • Mike Grady
  • Scott Green
  • Richard Frovarp
  • Ercan Elibol
  • Matt Eisenberg

♦ ♦ ♦ ♦ ♦

Items CTAB to track in 2023

These items are community and industry work-in-progress. CTAB does not lead these efforts. However, because they are of significant value to CTAB, CTAB makes a conscious effort to stay current with these activities:

  • Review REFEDS Entity Categories - TAC will pick up this item in its 2023 work plan: review new/updated REFEDS entity categories (anonymous, pseudonymous, personalized). Recommend course of action for InCommon (eg recommend, adopt, require, reject, etc)
  • REFEDS Assurance WG  - Development of REFEDS Assurance Framework 2.0
  • MFA sub-group of REFEDS Assurance WG - Development of next REFEDS MFA Profile revision

  • No labels