CTAB Wed April 24, 2019

Attending

• Mary Catherine Martinez, InnoSoft (chair)
• Brett Bieber, University of Nebraska
• David Bantz, University of Alaska
• Tom Barton, University Chicago and Internet2  
• Brad Christ, Eastern Washington University
• Eric Goodman, UCOP - TAC Representative to CTAB
• Jon Miner, University of Wisc - Madison
• John Pfeifer, University of Maryland
• Albert Wu, Internet2
• Emily Eisbruch, Internet2   

Regrets

• Rachana Ananthakrishnan, Globus, University of Chicago -
• Chris Hable, University of Michigan
• John Hover, Brookhaven National Lab
• Adam Lewenberg, Stanford  
• Chris Whalen, Research Data and Communication Technologies
• Ann West, Internet2

 Action Items from this call

[AI] CTAB members  chime in on the draft BE Adherence Guide, especially  

a. whether these are the statements we want to bring to consensus and

b. whether wording (degree of required-ness) is appropriate

DISCUSSION

Should CTAB receive standing updates from related committees and working groups?

• It was noted that InCommon TAC has updates from other groups as a big portion of each call
• Decision: CTAB should hear reports on TAC and other groups as needed
• When appropriate, updates from TAC (to be provided by Eric Goodman or David Bantz) can be inserted into the CTAB agenda during the  agenda bash
  
  

Baseline Expectations Closing Update

• The communications sent to the community in mid-April inspired movement on the part of several organizations who were on the list of “intent to be removed”
  
• See  latest status: https://spaces.at.internet2.edu/x/ZAJ0C
• There are only a few organizations still on the “intent to be removed” list
• It was decided to provide  a deadline when an organization tells us they are working on making the updates to meet BE
• Two weeks from the conversation with InCommon ops should be the standard deadline.
• Albert will update the dockets with  deadlines as they are communicated to the participants
  
  

2019 Baseline Expectation Roadmap  

• Albert  has worked on proposed updates to the foundational baseline expectation doc,  http://doi.org/10.26869/TI.34.1 
• compliance with SIRTFI has been added in the proposed draft
• There is a second document, BE Adherence Guide, has more detail
• It was decided  the next version of the foundational BE doc should be version 2 (not version 1.1)
  
  
  SIRTFI and next version of Baseline Expectations
• Question: Do we want SIRTFI to be a requirement for BE, or a sufficient means of meeting the security baseline expectations?
• One concern is that SIRTFI is about incident response, not about security as a whole?
• Also do we need to put a version number for SIRTFI?
• Brett suggests we state SIRTFI can be  a means of meeting the security requirement
• This fits with the idea of clarification of the baseline expectation around security
• SIRTFI’s Traffic light protocol can be an issue. SIRTFI has a requirement to use traffic light protocol to communicate with other participants.
• Could we break SIRTFI into components?
• TomB: SIRTFI’s intro provides some flexibility into how strictly each section must be adopted,
• much of SIRTFI compliance is not observable from outside the organization
• Last resort can be community dispute resolution process if some entity objects to the level of a federated partner’s adherence
• Acceptable use policy is part of SIRTFI,
  • Some institutions can’t provide acceptable use policy exactly,
  • may be part of a university system that has a slightly different policy
  • (there can be union negotiation implications to acceptable use policy)
• For matters that are externally provable , baseline expectations  is proving them.
• But for matters that are internal, does CTAB want to know the details of the institution’s tradeoff? Or just want the yes/no flag?
• Could create entity category around a requirement, but not require it as part of BE
• SIRTFI will evolve, is it currently a good enough common standard that will not cause shock if Baseline Expectations suggests it?
• How many orgs might leave if SIRTFI becomes part of BE?  https://refeds.org/wp-content/uploads/2016/01/Sirtfi-1.0.pdf
• It was noted that any proposed change to BE would go out for community consultation, providing a chance for community reaction and feedback
• Suggestion to add mention of SIRTFI in the draft BE Adherence Guide
• TomB suggests including SIRTFI in the BE statements, to encourage discussion
• Suggestion to require SIRTFI for federation manager access
• Suggestion for annual community tabletop discussion
• Community BE Tabletop could be a good TechEx Topic
• We may want to keep track of concerns on proposals around next phase of BE
• Next steps are for CTAB to keep working on the draft BE updates doc and the BE adherence guide doc
  
  

• [AI] CTAB members  chime in on the draft BE Adherence Guide, especially  

  a. whether these are the statements we want to bring to consensus and

  b. whether wording (degree of required-ness?) is appropriate

  
  

Agenda items not discussed on this call

• Connection and link to BE foundation doc and PA
• Research orgs frustrations - how do they feed BE2019
• Discussions within TAC, Net+ regarding IdPs
• “Jack Suess” Badging thread . see above (David/MC/Albert)
• Does CTAB wish to chime in?
• How do we bring next set of BE requirements to the community? (question for Tom)
• Do we position this as an addendum to current BE?
• Do we start a new round of community consensus?
• What is the timing for communication/engagement?
• Question for the group - future CTAB work / agenda ideas (MC)

Next CTAB  Call:  Wed,, May 8, 2019