Notes of CTAB Call of 25-April-
CTAB Call Wed. May 23, 2018
Attending:
Brett Bieber, University of Nebraska (chair)
Mary Catherine Martinez, InnoSoft (vice chair)
David Bantz, University of Alaska
Tom Barton, University Chicago and Internet2
Chris Hable, University of Michigan
Ted Hanss, University of Michigan
Jon Miner, University of Wisc - Madison Ann West, Internet2
Emily Eisbruch, Internet2
Nick Lewis, Internet2
Kevin Morooney, Internet2,
Regrets
Regrets:
- Chris Whalen, National Institutes of Health
- Chris Hable, University of Michigan
- Joanna Rojas, Duke regrets
Chris Whalen, National Institute of Health
- Ann West, Internet2
DISCUSSION
Updates on Action Items from April 25 callprevious calls:
[AI] Ann develop a timeline with milestones for getting us from BE Required to BE Enforced
See below for comments
[AI] Ann draft a handful of processes to escalate who to contact first. Erin can help.
Consider pulling in the community to reach out to “delinquent” folks
Share graphs monthly and highlight those that will be focused on.
[AI] Ann revise the strawman draft to tackle campuses/orgs and drive up “compliance” -
[AI] Brett
AI Brett will resolve remaining comments in the Community Consensus Process Doc, nearly done
- AI Brett author blog for privacy policy guidance
- AI Brett author blog for logo guidance
- AI David
[AI] David Walker update the Federation wiki re privacy policy and logo info (once the guidance is final). These will be linked from the BE FAQ
Updates on older action items:
AI Tom, Mary Catherine and ChrisH will participate in conversation with InCommon Ops on cycle times for escalating health check failures
Update: call scheduled for April 26
Baseline Expectations
Readiness for June 15
Getting from Baseline Expectations Required to Baseline Expectations Enforced
Transition the Community to InCommon Baseline Expectations
Ann developed timeline with milestones
Shows steps over next 9 months
Comment: Would be helpful to clarify what happens in month 8, what is meant by “alter metadata”
How do we decide which “not meeting Baseline Expectations” cases to examine and take action on?
It may be helpful to have a transparent process so it does not seem we are targeting particular orgs over others.
For example, announce we will contact R1 institutions first?
Perhaps include some such strategy in the June 15? communication.
Another opinion is that we should not to announce in advance a strategy around which entities not meeting BE will be targeted.
Need to see how many non complying entities there are.
Brett: InCommon staff will make some phone calls to orgs not meeting BE leading up to month 6.
There will be a plan of which orgs to contact/approach.
Health check report-out and published lists are key.
Leveraging TechEx to help with communications.
The community is considered transitioned when 95% of entities adhere.
If an org has a plan for conforming to BE, this will count towards the 95% adherence goal
Consensus that the “Transition the Community to InCommon Baseline Expectations” plan Ann drafted is a good starting point.
Suggested Resources for InCommon Staff working on outreach around BE
Review health check reports
Review InCommon Fee schedule
Suggestion to help schools that are close to meeting BE (missing only one element) to help them close the gap. How’s that privacy policy going?
A commercial SP with a “big multiplier” would be good to focus on.
Federation Manager “Enforcement” of Baseline Expectations
Around May 29, The Federation Manager will include a warning for entity edit when you click SAVE if you are missing the BE elements
Nick is waiting for CTAB to decide when to flip the switch on enforcing BE in Federation Manager
Outreach
Please review these blogs Brett has drafted for an upcoming BE themed newsletter:
blog for privacy policy guidance https://www.internet2.edu/blogs/detail/15968
blog for logo guidance https://www.internet2.edu/blogs/detail/15968
Some concern about the requirement for certain logo dimensions. See suggestion to the SAML2int consultation https://spaces.at.internet2.edu/x/GASMBw
Suggestion to simplify the blog by removing the info about the SAML2int logo dimensions
Add another Q&A in the blog… clarifying that BE only required that there be a logo present in metadata
[AI] (Brett) update the blog around logo format to make it less rigid
Baseline Expectation Community Consensus Process
assigned Repository ID: TI.107.1 (will be in repository after consultation and approval)
Need to resolve Tom’s comment about whether initial and call for alternatives should be combined into one…. Brett thinks yes. Brett will handle this
Hope for a CTAB demo from BillK around COmanage to be scheduled in the coming weeks to shed light on spinning up groups around dispute resolution and community consensus.
Consultation scheduled for
Open Tuesday June 5
Close on Tuesday July 10
Table top exercise around supporting baseline and dispute resolution
Brett is planning this, TomB will create a possible scenario
Include a few people from InC Operations
Will be scheduled within next month or so. Could take a few hours
Monthly Assurance Calls - Should they be continued?
- Should CTAB
AI Brett, David, and Ann will work on scoping the privacy policy guidance effort. ChrisW will help moving forward
Update: there is a Google doc with FAQ questions about privacy policy guidance
DISCUSSION
Baseline Expectations
Community Consensus Process Doc
Community Consensus Process Doc should go into Trust and ID doc repository, once approved. Emily has assigned a doc repository ID : TI.107.1
AI Brett will resolve remaining comments in the Community Consensus Process Doc
Process to maintain Baseline Expectations is already in doc repository: http://doi.org/10.26869/TI.105.1
Includes dispute resolution process
Logo Guidelines:
Thanks to ChrisH and Brett for their work on this
Looked at SAML2int guidelines around logos
Nothing in the logo guidelines is in conflict with what’s advised in SAML2int
MC: it was not hard to obtain logos for the most part in her work as an InCommon service provider
The logo guidelines should go on the wiki. No need for a Doc Repository ID
Include popup info on the federation manager about the logo field.
Perhaps update the health check email? Or if it already links to the FAQ and the FAQ includes the logo guidance, that is fine
Socialize using a blog post,
Include in the health check email a statement that we update the FAQ often.
Suggestion to add links to the Federation Manager and baseline emails
Privacy Policy Guidance
David Bantz suggests we address the question on “why are we requiring a privacy policy” . Indicate this is a first step. We will probably need a future step of making privacy policies more available / useful to end users
Where will this be published? Add it to the baseline expectations FAQ page…. Link to it from Federation Definition page perhaps
Privacy Policy Guidance will not need a doc repository ID
Should be socialized using a blog post
- AI Brett author blog for privacy policy guidance
- AI Brett author blog for logo guidance
- AI David Walker update the Federation wiki re privacy policy and logo info (once the guidance is final). These will be linked from the BE FAQ
- AI Check w InCommon Ops on incorporating the info appropriately into the health check emails.
COmanage
- Ann noted that the processes around community consensus/dispute resolution will benefit from the COmanage process which is being implemented within Internet2 to help facilitate collaborations
- Ann has asked Chris Hubing and Paul Caskey to look at the community consensus work and the process.
- We should talk thru this on a future CTAB call.
- Bill Kaufman may do a COmanage demo for this group in the near future
Staffing
- Internet2 has posted a Federation Service Manager job. This new hire should start this summer if possible. Could potentially help with community dispute resolution process.
- Internet2 is also hiring a support engineer for trust and identity. Both new hires are due to the InCommon Fee Increase that was approved starting in 2017.
- https://workforcenow.adp.com/mdf/recruitment/recruitment.html?cid=86f9419e-52c4-4ffd-80f8-cfbda5ad990e&ccId=19000101_000001&type=JS&lang=en_US
FICAM / OMB
- TomB: We transitioned from AAC to CTAB with intention to spend more time on baseline expectations and less time on the FICAM certifications (bronze and silver profiles).
- History is that bronze and silver certifications were never required by the federal agencies.
- NIST recently revised the FICAM standard to produce version 3.
- There are requirements around procurements in version 3.
- Less value to Research and education in version 3.
- TomB has discussed paths forward in his role as a member of the Kantara board. https://kantarainitiative.org/trustoperations/arb/
- recent developments likely do NOT threaten the use of InCommon credentials to access federal agencies without using bronze and silver
- FICAM program now focuses on commercial users of a federal agency.
- But higher ed users of federal agency services don’t need a heavyweight compliance framework.
- Should CTAB provide feedback to OMB? Or join with Kantara’s response?
- TomB: We have overlap with Kantara, but also some separate, distinct interests.
- Suggestion that we wait to see what Kantara develops and then decide how to proceed.
Monthly Assurance calls (to be discussed at future call)
- Should we try to continue monthly assurance calls?
- These monthly calls are mentioned in the “Stay Informed’ Box on the right on the Assurance wiki:
- https://spaces.at.internet2.edu/x/4SM
CTAB Meeting at 2018 Global Summit, Wednesday, May 9, noon-1:00PM
This will be a closed meeting for CTAB members
REFEDS Consultations
REFEDS Assurance Framework (round 2) Open until June 22 2018 https://wiki.refeds.org/display/CON/Consultation%3A+REFEDS+Assurance+Framework+round+2.
REFEDS Single Factor Authentication (SFA) Profile: Open until June 22 2018
https://wiki.refeds.org/display/CON/Consultation%3A+REFEDS+SFA+Profile.
Next CTAB Call: Wed, June 6, 2018