CTAB Wed. Nov. 6, 2019

Attending

• Mary Catherine Martinez, InnoSoft (chair) 
• David Bantz, University of Alaska (vice chair)  
• Rachana Ananthakrishnan, Globus, University of Chicago   
• Tom Barton, University Chicago and Internet2 
• Brad Christ, Eastern Washington University  
• Jon Miner, University of Wisc - Madison  
• John Pfeifer, University of Maryland   
• Chris Whalen, Research Data and Communication Technologies  
• Ann West, Internet2  
• Albert Wu, Internet2  
• Emily Eisbruch, Internet2    

Regrets

• Brett Bieber, University of Nebraska 
• Eric Goodman, UCOP - TAC Representative to CTAB 
• Chris Hable, University of Michigan
• John Hover, Brookhaven National Lab 
• Adam Lewenberg, Stanford  

Action Items from this call 

• [AI] (Rachana) talk with her team to get more perspectives about improving the TLS
• [AI] (John) talk with his team to get input about improving TLS
• [AI] Albert consult with NickR on engineering or other practical concerns that would arise  if InCommon does the testing around secure endpoints
• [AI] Albert  flesh out the BE 2020 doc with more on SIRTFI, endpoints,  and other matters  
• [AI] (MC)  email InCommon Steering chair TedH and cc Brad Christ with the slate of nominees for CTAB 2020

Discussion

Baseline Expectations 2020

• OWASP cheat sheets - how do we apply them  to BE requirements (TomB)
  • https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html
  • https://cheatsheetseries.owasp.org/cheatsheets/TLS_Cipher_String_Cheat_Sheet.html
  • TomB: for consumer electronics , not subject to those restrictions. People can travel  with their cellphones.
• Regarding this BE statement:
  • "All SP service endpoints must be secured with current, supported, unbroken transport layer encryption"
• Need to have appropriately encrypted endpoints
• The 2 OWASP cheat sheets demonstrate there are many details and choices
• CTAB must decide which are satisfactory choices
• TomB shared scanning mechanism used at U. Chicago
• DavidB: suggests most restrictive approach
• Jon: if a platform (eg, Windows) can’t support the most restrictive approach, is that outside of baseline?
• We  must do the research to tell participants what to do on an open SSL platform and what to do on Windows
• Hard to figure out the best approach on containers
• SSL Labs has an API, can be used to measure, provides a grade and provides feedback
• Goal now is to support TLS 1.2 but eventually the goal posts will change
• TLS 1.1 will soon mean a grade of B instead of A
• If we apply the SSL Labs standard to a commercial SP (such as Box) that is crucial for campuses, it will be a problem if Box gets “kicked out”
• Suggestion that MC, Rachana, and others try this SSL Labs test
• AI (Rachana) talk with her team to get more perspectives about improving the TLS
• AI (John) talk with his team to get input about improving TLS
• Use API to automate the SSL Labs testing?
• What would be the next steps and consequences and timeframe for fixing if an organization does not pass
•  It would be convenient to reply on SSL testing and grade for Baseline Expectations
• There would be cycle time for remediation if grade falls below an A 
• Issues around International browsers ?
• Is the suggestion that participants test themselves and submit their results?
• Or would InCommon do the testing?
• [AI]  Albert consult with NickR on engineering or other practical concerns that would arise  if InCommon does the testing around secure endpoints
• Important to provide guidance on how to disable TLS 1.1 
• DavidB found lack of documentation for Windows on this 
• CTAB would need to provide guidance
• Find out the top platforms being used, Tomcat,  JEDI, 
• There will be some support burden; “I want to do this but I don’t know how”
• CTAB needs to figure out what is reasonable, be careful in setting a high bar that is hard to implement
• For those who do not meet this, there would be a process, including dispute resolution, and could lead to extensions being given and/or an exception being mad
• Steering is the final judge in cases where an entity might be removed from metadata
• The community will have time to adhere to any new baseline requirements
  
  
• Sirtfi - what do we need to say to clarify? (David)
  • Do we need to go beyond “by checking the box you agree to support the SIRTFI framework”
  • At U Alaska, they don’t adopt SIRTFI as practice, and that would be OK under the proposed Baseline Expectations. They can  respond to a request for SIRTFI and that is what is required. 
  • AI Albert  flesh out the BE 2020 doc with more on SIRTFI, endpoints,  and other matters  

• IAM Online, Wed. Dec 4, 2019, 2PM Eastern
• Dean suggested CTAB participate in  IAM Online webinar on Dec. 4 to preview what’s happening at TechEx 2019
• DavidB volunteered, Albert will help.  JonM may be able to attend as well (if we want more)
  
  
• Nominations for CTAB membership starting in 2020
• MC worked with David and Brett to reach out to nominees  
• They spoke to 5 of the 6 nominees for CTAB. 
• Did not contact one CTAB nominee who had chosen another governance group as 1st choice
• All seemed motivated to be part of CTAB and were good fits for CTAB. 
• Good variety of individuals.  
• We  may need to change our CTAB call time to accommodate European nominees
• Candidates asked about the next step
• Potentially CTAB could provide a tentative yes, contingent on InCommon Steering approval.
• Steering may look at representation to be sure a variety of key stakeholders are represented
• Once CTAB has the slate ready, MC (CTAB Chair)  would email the InCommon Steering Chair (Ted Hanss)
• InCommon Steering next meeting is Dec 2 
• We may request that Steering do an online vote prior to then
• AI (MC)   email Ted and cc Brad Christ with the slate of nominees for CTAB 2020
  
  
• Planning for TechEx - InCommon and CTAB update -  https://docs.google.com/presentation/d/1bqaBpgZzyVTWEWcQCVFYGxWx6ZZOvLBhb6PPvgwFyHk/edit
  • TechEx - Open CTAB Meeting: Discussion of Baseline 2020 
  • https://meetings.internet2.edu/2019-technology-exchange/detail/10005609/
  • Review community consensus process
  • Outline BE changes
  • Discussion
  • Capture input from attendees
  • Gain greater clarity on implementation items (what to include; what not to include)
    
    
  • Proposed Agenda
• • Review community consensus process
  • Outline BE changes
  • Discussion
  • starting draft for TechEx based on last year’s slides 
    
    
  • Likely we won’t be ready with  a wiki about proposed baseline expectations 
  • Goals:
  • Capture input from attendees
  • Gain greater clarity on implementation items (what to include; what not to include)
    
    
  • BE 2020 Prep
  • The main Doc
  • Clarification wiki pages
  • Email list for community consensus
  • Draft announcement - BE 2020 entering community consensus
  • others?

  
  

  Next CTAB Call: Wed. Nov. 20, 2019