CTAB Wed. Dec. 18, 2019
Attending
- Mary Catherine Martinez, InnoSoft (chair)
- David Bantz, University of Alaska (vice chair)
- Brett Bieber, University of Nebraska
- Tom Barton, University Chicago and Internet2
- Brad Christ, Eastern Washington University, InCommon Steering Reprientative to CTAB
- John Pfeifer, University of Maryland
- Chris Whalen, Research Data and Communication Technologies
- Ann West, Internet2
- Albert Wu, Internet2
- Emily Eisbruch, Internet2
- Jessica Coltrin, Internet2
New CTAB Members for 2020
Pål Axelsson, SUNET
Ercan Elibol, Florida Polytechnic University
Richard Frovarp, North Dakota State
Robert Zybeck, Portland Community College
Regrets
- Rachana Ananthakrishnan, Globus, University of Chicago
- Eric Goodman, UCOP - TAC Representative to CTAB
- Chris Hable, University of Michigan
- John Hover, Brookhaven National Lab
- Adam Lewenberg , Stanford
- Jon Miner, University of Wisc - Madison
- Jule Ziegler, Leibniz Supercomputing Centre (new CTAB member as of 2020)
Discussion
Introductions and welcome to new CTAB members
Officer election reminder
- Ballots for the officer election went out via email Dec 18, 2020
Recap of CTAB activities at 2019 TechEx in New Orleans
- We made good progress at 2019 Tech Ex in discussions with the community
- Here are notes from CTAB Open Meeting at 2019 Tech Ex https://spaces.at.internet2.edu/x/rRiJCQ
- There was discussion on the 5 proposed items for Baseline Expectations (BE) 2020
- General feeling at Tech Ex: no one was opposed to the five items being suggested for BE
- We could move ahead with Community Consensus https://www.incommon.org/federation/community-consensus/
- It was significant that Howard Pfeffer, President and CEO of Internet2, mentioned Baseline Expectations in his address at 2019 TechEx
- DavidB and Albert provided InCommon update session on Tuesday Dec 10, 2019 https://meetings.internet2.edu/2019-technology-exchange/detail/10005580/
- These Advance CAMP (ACAMP) sessions were useful
ACAMP 2019 Sessions related to Baseline Expectations |
- There was an interesting notion of a shim or broker or bridge so potential IDPs that would not support all 5 of these components could still be in the InCommon Federation
- It was noted that R&S and REFEDs MFA may require technical abilities that are missing from Okta and other IAM frameworks.
- Could use IDP as a service as bridge option
- R&S discussion was interesting, it’s perceived as a general release of attributes to any SP
- Actually R&S it is a targeted release from scientific faculty to certain research SPs
- Actually R&S it is a targeted release from scientific faculty to certain research SPs
Suggested Next Steps
- For BE 2020, we should communicate the items that are part of BE 2020, and also the items that are coming down the road
- It will be important to have a have a clear timeline for TLS, Error URL and SIRTFI and anticipated timeline for supporting REFEDS MFA and R&S attribute bundle, pending addressing technical barriers to support
- For R&S attribute bundle and for MFA signaling, we might say, we want those to be in place for 2021 and here is what must be in place.
- This way organizations will know how to prepare
- Question: has impact assessment been done on the proposed BE 2020 items?
- Answer: we may lack the data needed for an impact assessment for the proposed BE 2020 items
- Q: Can a risk analysis be done, explaining the risk to the federation if we don’t do Error URL, for example?
- It was suggested that we should explain that govt SPs are requiring SSL" grade of 'A' from SSLLabs scan tool
- This indicates it’s a real requirement
- It was noted that for BE items focused on security, looking at risk is very important.
- Shannon Roddy, Security Lead on the Internet2 staff, is looking at SSL Labs data
- Vast majority have an A grade
- there is also an A plus score not shown on Shannon’s graph
- Note that requirements/grading will change and in 2020 there may be an increased number of Bs
- Risk assessment can help illustrate why CTAB suggests put items into Baseline Expectations versus make it a best practice.
- Albert will check with Shannon and NickR around the amount of effort to do risk assessment.
- Risk assessment should be doable for Error URL and TLS 1
- Would be helpful if risk assessment would identify risks to both SPs and IDPs
- Service Provider considerations
- SP best practices around Error URL will be important
- Perhaps CTAB should charter a working group to work with SPs to sort out Error URL
- Recurring aspects to the current BE requirements
- Interesting to think about the recurring aspects to the current BE requirements.
- Albert: InCommon federation plans to do recurring checks on metadata
Summary of the proposed new items for BE 2020
- TLS 1.2
- refers to web communication to SP and IDP endpoints
- Some Encryption suites used inside the TLS protocol are insecure
- Want to be sure good practice is being followed
- Could check on this using SSL labs
- SIRTFI
- Framework to communicate about potential security incidents
- BE would be a self assertion of compliance w SIRTFI framework
- ERROR URL
- Url listed in IdP metadata
- SP refers user when insufficient attributes are in the SAML assertion
- And attempt to fix a problem identified by an SP
- R&S attribute bundle
- For use with scientific SPs
- Signaling to request REFEDs MFA (multi factor auth)
- SP can use to request MFA"
- IDP should be able to respond with appropriate AuthN context (https://REFEDS.org/profile/mfa) asserted (if MFA used), or decline to send authentication assertion if unable to provide MFA for that user
- AuthN context ,
- An SP making a request to authenticate a user can say “I want this Authentication context”
- An IDP can include the authentication context in the assertion back to the SP
- If the IDP cannot make the requested assertion, they would abort, ideally they’d provide some useful info to the end user on why the access failed.
REFEDs MFA: https://docs.google.com/document/d/1ASI_fvciqj6JWRiJZbUUWSLTLb-BfWjkK8syxlXHHFo/edit
CTAB Meeting schedule for 2020
- Need to schedule CTAB calls to accommodate time zones from Alaska to Sweden
- Current CTAB meeting time is biweekly Wednesdays at 4pm ET
- AI Albert send doodle poll to determine the best CTAB meeting time
Next CTAB call TBD based on results of Doodle Poll