Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.



Baseline Expectations (BE) 2020

  • OWASP cheat sheets - how do we apply them  to BE requirements (TomB)
    • TomB: for consumer electronics , not subject to those restrictions. People can travel  with their cellphones.
    • Regarding this BE statement:
      • "All SP service endpoints must be secured with current, supported, unbroken transport layer encryption"
    • Need to have appropriately encrypted endpoints
    • The 2 OWASP cheat sheets demonstrate there are many details and choices
    • CTAB must decide which are satisfactory choices
    • TomB shared scanning mechanism used at U. Chicago
    • DavidB: suggests most restrictive approach
    • Jon: if a platform (eg, Windows) can’t support the most restrictive approach, is that outside of baseline?
    • We  must do the research to tell participants what to do on an open SSL platform and what to do on Windows
    • Hard to figure out the best approach on containers
    • SSL Labs has an API, can be used to measure, provides a grade and provides feedback
    • Goal now is to support TLS 1.2 but eventually the goal posts will change
    • TLS 1.1 will soon mean a grade of B instead of A
    • If we apply the SSL Labs standard to a commercial SP (such as Box) that is crucial for campuses, it will be a problem if Box gets “kicked out”
    • Suggestion that MC, Rachana, and others try this SSL Labs test
    • AI (Rachana) talk with her team to get more perspectives about improving the TLS
    • AI (John) talk with his team to get input about improving TLS
    • Use API to automate the SSL Labs testing?
    • What would be the next steps and consequences and timeframe for fixing if an organization does not pass
    •  It would be convenient to reply on SSL testing and grade for Baseline Expectations
    • There would be cycle time for remediation if grade falls below an A 
    • Issues around International browsers ?
    • Is the suggestion that participants test themselves and submit their results?
    • Or would InCommon do the testing?
    • [AI]  Albert consult with NickR on engineering or other practical concerns that would arise  if InCommon does the testing around secure endpoints
    • Important to provide guidance on how to disable TLS 1.1 
    • DavidB found lack of documentation for Windows on this 
    • CTAB would need to provide guidance
    • Find out the top platforms being used, Tomcat,  JEDI, 
    • There will be some support burden; “I want to do this but I don’t know how”
    • CTAB needs to figure out what is reasonable, be careful in setting a high bar that is hard to implement
    • For those who do not meet this, there would be a process, including dispute resolution, and could lead to extensions being given and/or an exception being mad
    • Steering is the final judge in cases where an entity might be removed from metadata
    • The community will have time to adhere to any new baseline requirements

  • Sirtfi - what do we need to say to clarify? (David)
    • Do we need to go beyond “by checking the box you agree to support the SIRTFI framework”
    • At U Alaska, they don’t adopt SIRTFI as practice, and that would be OK under the proposed Baseline Expectations. They can  respond to a request for SIRTFI and that is what is required. 
    • AI Albert  flesh out the BE 2020 doc with more on SIRTFI, endpoints,  and other matters