Attending
- Mary Catherine Martinez, InnoSoft (chair)
- David Bantz, University of Alaska (vice chair)
- Brett Bieber, University of Nebraska
- Rachana Ananthakrishnan, Globus, University of Chicago
- Tom Barton, University Chicago and Internet2
- Brad Christ, Eastern Washington University
- Eric Goodman, UCOP - TAC Representative to CTAB
- Jon Miner, University of Wisc - Madison
- John Pfeifer, University of Maryland
- Chris Whalen, Research Data and Communication Technologies
- Ann West, Internet2
- Albert Wu, Internet2
- Emily Eisbruch, Internet2
Guest
- Scott Koranda, representing SIRTFI
Regrets
- Chris Hable, University of Michigan
- John Hover, Brookhaven National Lab
- Adam Lewenberg , Stanford
Action Items
- AI (Albert) update the docket with status discussed on the June 5, 2019 CTAB Call (done)
- AI (MC) send a note (drafted by AnnW) to Steering that the removal of a few entities is slated for July 15 (DONE) (KevinM will forward this info the Internet2 Exec leadership)
- AI (MC or David) solicit CTAB volunteers to join a task force to work with SIRTFI around metadata accuracy.
Discussion
Baseline Expectations Phase 1 - Closing activity update (Albert) (5 min)
- Need to set deadline for removing the few entities who have not responded to outreach around meeting Baseline Expectations
- makes sense to propose a July 15 removal date.
- CTAB agreed that a removal notice will be sent.
- AI (Albert) will update the docket with this status discussed on the June 5 CTAB Call
- AI (MC or David) send a note (drafted by AnnW) to Steering that the removal of a few entities is slated for July 15 (DONE)
(KevinM will forward this info the Internet2 Exec leadership) - Note the list of entities not meeting Baseline is extremely small compared to full InCommon membership.
- Recent statistics from June 2019
All entities: 4816 of 4844 meet the metadata expectation (99%)
IdPs: 529 of 536 meet the metadata expectation (99%)
SPs: 4287 of 4308 meet the metadata expectation (100%)
Orgs: 744 of 763 meet the metadata expectation for all entities (98%)```
TAC request for Badging sub group participation (Albert)
- Badges may be used for good practices around issues such as preservation of privacy and Identity proofing
- It will be helpful to work on a closer relationship with information security - Higher Education Information Security Committee (HEISC)
- It may be worthwhile to develop conformance testing suite to certify software
- David has joined the subgroup looking at badging, others invited to join also
- Brett and JonM will join this effort
- How does badging align with baseline expectations?
- An entity must meet baseline expectation to be part of InCommon.
- Badges will represent additional good practices
- May create a roadmap for future baseline practices
- Who is the target for viewing the badge?
- A university may be evaluating a vendor /SP for adoption and wants to see how well that vendor integrates with federation
- Target is to evaluate an SP, and there may be other use cases
- Rachana, have been asked if we can visually display to a user if standards are met? This is harder to do. Will be an interesting direction.
- Don’t want to boil the ocean and create info overload.
- Other related efforts around badging
- KevinM: There are many badging conversations going on, including in Net+, and in REN ISAAC.
- Consumption of badges by end users, consumption of badging by vendors
- Need to scope the work carefully. Be aware of what other efforts are doing
- DavidB spoke w JackS, who emphasized privacy protection, and suggested working more closely w HEISC and E&I Consortium
- RA21 work is of interest around privacy profile or privacy preserving attribute release. We may want to follow what they are working on.
- TomB: there is much context needed in evaluating practices.
- worry about badging incentivizing one size fits all solutions, though making things simple is good
- A privacy badge for a consumer service might be different than a privacy badge for a research service
Update on collaboration with SIRTFI WG
- Scott Koranda talked about proposed partnership with CTAB on a focused area
- Testing every day and quality assurance
- It’s about security incident response
- Excited about uptake of SIRTFI within InCommon
- Need to be sure those who agree to respond by self asserting SIRTFI for their IDP or SP
- They must get info they need, especially the contact emails must be in metadata and must be fresh and accurate
- For a security incident, it’s crucial to have a working and correct email contact
- SIRTFI thinking about what it means to keep that email contact info up to date and accurate
- How much testing to do of the security emails? How often? What’s the right balance and approach?
- SIRTFI thinking about this from a global perspective
- LIGO wants all IDPs and SPs to be tagged as SIRTFI
- SIRTFI knows that CTAB has gone thru the baseline expectations process, including getting complete contact metadata
- Proposal: SIRTFI and CTAB work together on exploring these issues of accurate, fresh metadata, for SIRTFI and then take the learnings to other federations to make this a global issue.
- Q: What is the current status of checking of contact metadata?
- A: InCommon checks when emails bounce
- First step for CTAB was to get entity's contacts into metadata
- Next is to be sure it stays current
- TomB: GEANT (Mario Reale’s team) has looked at a tool for checking contact metadata. Is willing to share that work.
- Q: What constitutes a valid email? Just that is does not bounce? Or that someone is checking and replies?
- A: Mario’s team’s work includes that there should be a response
- Albert: Part of responsibility as security contact is to respond to emails
- Scott: there is some requirement, but not to respond to probes
- TomB: we will need to help create definitions and modifications
- Two requirements that could be separate: 1. You assert SIRTFI 2. You have accurate and responsive contacts
- Note: it has been proposed but not yet decided if SIRTFI is part of the next version of Baseline Expectations
- What's the best way for this CTAB and SIRTFI collaboration to move forward?
- Joint work group
- To mock up small proof of concept for probing
- Brett supports a small group to work on recommendations for next version of Baseline Expectations and to be proposed to InCommon community
- This fits nicely with the direction of CTAB to look at security and email validity
- Have SIRTFI incorporate more on what’s required for security contact
- We could ask small set of IDPs and SPs to participate in small pilot
- Two prongs
- policy side on responsiveness / frequency of querying
- the technical/mechanical implementation
- Long term there might be infrastructure run by InCommon to help the smaller organizations
- AI (MC or David) solicit CTAB volunteers to join a task force to work with SIRTFI around metadata accuracy.
- Scott will solicit volunteers from SIRTFI
- Review draft Baseline Communication to Participants - (David/Brett)
- Closing Transitioning Baseline v1
- Call for initial input on Baseline v2
- This is a brainstorm phase, not a consensus phase
- Idea is to broaden be conversation beyond CTAB
- Suggestion to introduce CTAB a bit in the email
- Suggestion to solicit input using Survey Monkey
- Need to be carefully consider what questions to ask
- David suggests that in brainstorming phase we should not ask specific questions
- TomB: very important to have the right sample
- Concern about value to the federation, if we are beholden to the survey would be concerned
- There is a process on how to evolve CTAB using community consensus https://spaces.at.internet2.edu/display/TI/TI.107.1
- Decision is to continue this conversation next CTAB call.
- NOT DISCUSSED ON THIS CALL:
- BE Survey - (Albert)
Next CTAB call: June 19, 2019