CTAB call Tuesday, February 23, 2021
Attending
- David Bantz, University of Alaska (chair)
- Brett Bieber, University of Nebraska (vice chair)
- Pål Axelsson, SUNET
- Rachana Ananthakrishnan, Globus, University of Chicago
- Tom Barton, University Chicago and Internet2, ex-officio
- Ercan Elibol, Florida Polytechnic University
- Richard Frovarp, North Dakota State
- Eric Goodman, UCOP - InCommon TAC Representative to CTAB
- Meshna Koren, Elsevier
- Jon Miner, University of Wisc - Madison
- Andy Morgan, Oregon State University
- John Pfeifer, University of Maryland
- Chris Whalen, Research Data and Communication Technologies
- Robert Zybeck, Portland Community College
- Johnny Lasker, Internet2
- Kevin Morooney, Internet2
- Ann West, Internet2
- Albert Wu, Internet2
- Emily Eisbruch, Internet2
Regrets
- Dave Robinson, Grinnell College in Iowa, InCommon Steering Rep, ex-officio
- Jule Ziegler, Leibniz Supercomputing Centre
Discussion
Around the Community
- Trust and Identity Operations Update
- There was a release last week of the InCommon Federation manager introducing BEv2 functions
- Including API capability for internal recording
- InCommon TAC updates
- InCommon TAC is working to complete the TAC 2021 work plan
- Developing recommendations for adopting cross-federation profiles
- Subject identifiers
- Looking at Seamless Access
- REFEDS Working Groups
- The REFEDs Baseline Expectations working group is going through the comments on the closed REFEDS Baseline Expectations Consultation
Baseline Expectations V2 updates
- InCommon Federation manager has been updated to alert Site Administers of BEv2 requirements during data entry.
- API allows tracking of compliance data
- Johnny is pulling data daily
- Dashboard is available - with four days of data
- Albert sent a snapshot of the current statistics to CTAB list
- Don't yet have all the TLS scoring in place
- Reporting if an org has HTTPS endpoints or not
- Most of the issues in non-compliance are around SIRTFI
- Some organizations are unaware of SIRTFI
- Communications will help
- Albert will give all CTAB members access to the google shared drive with the data
- Spreadsheet will evolve into a trend graph
- Currently shows percentage of orgs meeting the BEv2 requirements
- At signing into the Federation Manager, there will be a notice/warning of BEv2 compliance status
- It will still be possible to publish data in Federation Manager
- Agreed it makes sense to start with a directed email to the Execs, letting them know we are starting with BEv2 and explaining what to expect
- When it's time to start sending info on non-compliance, first step should be to send notice Site Admins
- Agreed it makes sense to send notice first to Site Admins, before sending to InCommon Execs
- Agreed it makes sense to send notice first to Site Admins, before sending to InCommon Execs
- It was agreed it does not make sense to send a congratulations email to those who are compliant
- Reason: compliance will change as TLS score changes
- and TLS score “slides” at any point, an organization can become non compliant
- Risk in declaring victory prematurely
- We plan long-term, sustainable notifications process
- See BEv2 implementation plan: Default plan is we aim to scan an entity whenever it changes or is added or it reaches one year since last scan
- Suggestion to specify in outreach which entities are compliant or non compliant
- That was helpful in BEv1
- There is an issue with mail merge capability
- Will look into in longer term solution
- At this point, would need to do a lot of copy and paste to accomplish emails specifying entities
- The info showing which entities are compliant or non compliant is in the InCommon Federation Manager
- Need to go into each entity in Federation Manager at this point
- The info exists on the backend
- May improve that in the future
- Emails will say out of <this number of> entities, <this number> are out of compliance
- there is a draft notice to non-compliant orgs
- Hope to send out 1st announcement towards end of this week or Monday
- To let InCommon participants know if they have missing elements in SIRTFI or error URL
- We are not ready to report on endpoints, but will mention endpoints as part of BEv2
CTAB/NIH Assured Access Working Group Status Update
- The new Assured Access working group has met 3 times
- Last week’s discussion included assessment of IAL-2 and I9 and eSurvey and mapping to various assurance levels,
- appreciated Kyle Lewis's work on this
- https://drive.google.com/file/d/1yp5BGVVL7IkEOi_bU1IlL84CcGl29_Qt/view?usp=sharing
- Mapping of identity assurance levels
- Next steps: continue discussion, produce recommendations
- suggestion to repeat Kyle’s analysis with Kantara IAP
- There are strengths to having Drivers License that is a Real ID
- Institutions have employees that pre-date the Real ID, and pre date eVerify
- We should think and perhaps provide guidance about duration
- There’s building pressure from the community to receive some guidance
- Folks reaching out on email lists
- It came up on Big Ten Identity Management call
- With E-Verify and I9 together, we are close to what is needed
- We can show examples, how you compose a policy for individuals to meet the needed level
- Aiming for end of March to produce community guidance
- This guidance is scheduled for an April IAM Online webinar, could move up to a March IAM Online
- Brett: stick with April for this IAM Online
- PubMed is moving to federated identity
- Assured Access Working Group meets again on Thursday. It’s open to all.
- Beyond NIH - how do we build on this and expand adoption of standard “research interop profile”?
- What would a standard research interop profile include? Who do we write this for?
- Volunteers to write/review content
- When do we involve additional research communities?
- Hoping if NSF has a similar requirement to NIH, then we can leverage the work being done now. CC Star in NSF does require federated identity? Dept of Energy, NASA,
- Federated Credentials can be used for research.gov
Reading/Reference Material
- Baseline Expectations 2 Implementation Plan (timeline/schedule)
- Assurance Access Working Group wiki: https://spaces.at.internet2.edu/display/aawg
Next CTAB Call: Tuesday March 9, 2021