CTAB call of December 1, 2020   

Attending

• David Bantz, University of Alaska (chair)  
• Pål Axelsson, SUNET  
• Brett Bieber, University of Nebraska  
• Rachana Ananthakrishnan, Globus, University of Chicago   
• Tom Barton, University Chicago and Internet2, ex-officio   
• Ercan Elibol, Florida Polytech Institute   
• Richard Frovarp,  North Dakota State 
• Eric Goodman, UCOP - TAC Representative to CTAB 
• Jon Miner, University of Wisc - Madison  
• John Pfeifer, University of Maryland    
• Marc Wallman, North Dakota State University, InCommon Steering Rep, ex-officio   
• Chris Whalen, Research Data and Communication Technologies 
• Jule Ziegler,  Leibniz Supercomputing Centre  
• Robert Zybeck, Portland Community College  
• Johnny Lasker, Internet2   
• Kevin Morooney, Internet2
• Ann West, Internet2  
• Albert Wu, Internet2  
• Emily Eisbruch, Internet2  

Regrets

• Mary Catherine Martinez, InnoSoft (vice chair)
• Chris Hable, University of Michigan

Discussion

 CTAB topics at  InCommon CAMP and ACAMP November 16-20, 2020

• Baseline Expectations v2 was officially launched at the Nov. 17 CAMP session titled Baseline Expectations 2021: increased assurance and interoperability  
• During Q&A, we received some pushback from one stakeholder on the requirement for Qualys A grade from TLS testing.
• There was emphasis at CAMP and ACAMP on the NIH call to action 
  
  ACAMP sessions
• Baseline Beyond BEv2 , Wed. Nov. 18, 2020
• Refeds MFA- Signaling MFA, Signalling MFA/loa capabilities (for discovery) via entity category(ies) in metadata,Wed. Nov. 18, 2020
• Assurance Part 3 what is the purpose of Assurance, Friday, Nov. 20, 2020
  
  

CTAB response to NIH Call to Action - facilitate REFEDS Assurance and MFA

• Messaging about the NIH Call to Action started at TechExtra in October 2020
•  Oct. 6, 2020 keynote from NIH 
•  Oct. 6, 2020 NIH panel 
• There was continued discussion about the NIH call to action at CAMP and ACAMP, November 2020
• ChrisW: Background is that NIH runs a proxy for a number of Service Providers
• Some services need minimal authentication from a researcher while others need more. Examples:
• Lower level: PubMed, you can use your InCommon credentials to save your searches, and the publication index
• Higher level: All of us service, has high-level need for assurance and verified credential from the IDP
• requires signalling MFA and need for the IDP asserting some identity verification

• NIH has notified the academic community that the MFA attribute and some identity verification assurance will be required in 2021
• This is a new approach
• The older approach - InCommon Bronze and Silver Profiles- the Assurance Advisory Committee (AAC) approach : this is FICAM, this is what the federal govt will require, including audits
• New approach: accept that community has developed standards and use those standards to achieve a valuable credential

MFA Requirements

• The MFA requirement that CTAB has considered for Baseline Expectations is that that IDP knows how to signal MFA 
• This NIH approach seems to be that MFA is asserted as an authentication method
•  One approach is there is a signal for Auth context class , IDP will see that and respond with MFA attributes
  
• Step up
• The InCommon Certificate services does a step-up
• Example of possible use of step-up: If users only want to use PubMed, then we may not need MFA
• If users want other kinds of access, we want the step-up
• That kind of signalling is complex on both the IDP and  SP sides, and work will be needed to make it effective
• Especially where there are multiple needs to communicate thru the proxy to the IDP
• A challenge is to give SPs effective guidance for how to invoke MFA
• Answering the questions around “what happens if?”  
  
  
• ChrisW: There is an NIH group running a proxy and developing a test site. 
• This site will provide testing of MFA and assurance
• https://authdev.nih.gov/CertAuthV3/forms/compliancecheck.aspx
• Shows if you are doing R&S, REFEDs MFA, REFEDs Assurance
  
  
• Pal: SUNET has a proxy service that in future will handle to MFA for organizations not capable of doing MFA
  
• There has been discussion of creating a research profile to sit on top of Baseline Expectations
• CTAB might take ownership of that trust profile for InCommon
• It may also be helpful for CTAB to develop equivalency for assurance
• Map REFEDs assurance to processes already being done on campuses
• If you can do an I9 proofing…
• List archive thread on REFEDS MFA

• REFEDs assurance and REFEDS R&S both need updating
• REFEDs assurance was developed prior to the release of NIST 800-63-3; used KANTARA standards
• It is now hard to get to the Kantara standards
• TomB has talked to Kantara community member about making standards more openly available (version 2 and version 3), openness/ availability issue is around tracking use
• Mapping to 800-63-3 would be useful 
• For EPP ID there is the need to update to pairwise
• Timeline for next version of REFEDs assurance framework is not yet established
• Updating R&S should be a priority
• There is a meeting coming up, with Heather leading, Pal will participate

• Next Steps: AnnW reached out to JeffE of NIH last week about convening a group of subject matter experts to work on the issues NIH wants, the signalling and handshakes, and perhaps create more documentation on assurance. Ann will keep CTAB informed on this.

CTAB member election - Ann / Jessica 

• Next steps:
• CTAB chair to email 4 new members to InCommon Steering for final acceptance, their meeting is next Monday
• Jessica will email those not accepted 
• Internet2 staff will onboard new members after InCommon Steering acceptance
• Chair election - Jessica
• All continuing members are on the ballot, email Jessica by end of day on 12/7 if you don’t want to be on the ballot
• Ballot will go out on 12/8

Baseline v2 next steps

• BE v2 Implementation Plan: https://docs.google.com/document/d/1zl6a-LBwdeOvVmei554P7VHxenyeV2iZ8Nfw4s3Ru9c/edit   
• Communications to non-adhering participants, David and Albert will work on this outreach
• List of non-adhering participants, Johnny and Albert will work on this list
• Scanning for TLS takes time
• Even before TLS scanning is done, we can inform participants of their compliance or deficits with Error URL & SIRTFI  components of BEv2
• On Dec. 17, announcement in InCommon Newsletter about launch of BEv2, 
• Baseline v2 FAQ
• It was agreed  to include these BE FAQ  documents as part of the InCommon federation wiki.   https://spaces.at.internet2.edu/display/federation/
• Not only in the Baseline Expectations wiki.    BE wiki will be a project wiki.  
  
• Pal: there is work on creating Federation level version of Error URL profile 
  
  

REFEDs Baseline work : consultation before end of Dec 2020

• Similar to BE v1, SIRTFI is not mentioned, R&S not mentioned
• It consists of high level statements right now 

Next CTAB call: Tuesday, December 15, 2020