CTAB call Tuesday, June 1,  2021

Attending

• David Bantz, University of Alaska (chair)  
• Brett Bieber, University of Nebraska (vice chair) 
• Pål Axelsson, SUNET   
• Eric Goodman, UCOP - InCommon TAC Representative to CTAB 
• Meshna Koren, Elsevier   
• Jon Miner, University of Wisc - Madison  
• Andy Morgan, Oregon State University  
• John Pfeifer, University of Maryland  
• Dave Robinson, Grinnell College in Iowa, InCommon Steering Rep, ex-officio 
• Jule Ziegler,  Leibniz Supercomputing Centre  
• Robert Zybeck, Portland Community College  
• Ann West, Internet2    
• Emily Eisbruch, Internet2  
• Chris Whalen, Research Data and Communication Technologies 
• Johnny Lasker, Internet2  
• Kevin Morooney, Internet2 
• Rachana Ananthakrishnan, Globus, University of Chicago  
• Tom Barton, University Chicago and Internet2, ex-officio    

Regrets

• Ercan Elibol, Florida Polytechnic University 
• Richard Frovarp,  North Dakota State 
• Albert Wu, Internet2  

New Actions Item from this call

• AI Johnny - look into outreach to delegated admins around BEv2, and if we need a different list for that
• AI David - iterate on the wording in the proposed email outreach to site admins and execs, to be sure the message is welcoming and not scary

Discussion

• Intellectual Property reminder   
• Agenda Bash

Working group updates

• REFEDS Assurance WG   https://wiki.refeds.org/display/GROUPS/Assurance+Working+Group
• On the way to provide an update, new RAF version 2 
• Addressing identity proofing
• Good progress
• REFEDS MFA subgroup
• Kicked off

• TNC, June 21 to June 25, online  https://tnc21.geant.org/
• REFEDs meeting and more identity and trust meetings will occur the week before TNC, around June 15
• FIM4R will meet that week, with focus on Identity Assurance
• Side meetings at TNC21: https://tnc21.geant.org/side-meetings/
•   FIM4R: https://indico.cern.ch/event/1038620/

• Assured Access  Working Group 
  • Draft REFEDS Assurance Framework Implementation Guidance for the InCommon Federation is open for community consultation
• Proposed improvements to the draft:
  • add mention of bronze and silver profiles
  •  include the eduPersonAssurance attribute, conforming to REFEDs baseline
  • Getting towards cappuccino profile or espresso profile, etc.
  • Aspects beyond identity assurance
  • To assert those levels, must assert the base prefix for REFEDs assurance
  • Brett will incorporate that
• Will help to have CTAB think through how to solicit for more input as we get closer to consultation close date
• Ann: Had call w NIH around organization support of REFEDs Assurance Framework (RAF), identity proofing qualifiers, working to get NIH ready  
• NIH will put up a website this week hopefully, with links to InCommon and REFEDs
• Suggestion to add to the Assured Access WG draft another assertion to add inside the multi valued attribute being released.
• It’s mechanics for members of InCommon, they should be supporting that through Baseline Expectations
• TomB:  topics for the Assured Access WG:
  • as campuses start implementing, people will need a place to go for questions that arise, need to specify where to get questions answered
  • There are processes that undergird identity proofing profiles based on relationships
  • NIST dropped this approach from version 2 to version 3
  • But relevant in academia 
•  Brett AIs
  •  Incorporate feedback into the draft doc
  • Draft info on how bronze and silver profiles align
  • Schedule meeting of Assured Access Working Group to review feedback from consultation 

• NIH update (compliance tool data)
  • Meetings are biweekly with NIH 
  • Info on the results of using a compliance check tool
  • NIH IDM people updated the compliance check tool to be useful for IDP operators
  • It was originally for researchers 
  • Goes into the details around meeting the NIH requirements
  • Data will be sent to us on results of using the compliance tool 
    • Will use this data for a progress chart
    • To show how the community is responding to the NIH requirements
  • New NIH webpage will be helpful
  • Privacy policy for NIH is being worked on, this was an issue for some of the UK institutions, some resistance to being sent to PubMed, and concern about how R&S would be handled
  • Pubmed moving to solely federated access
  • Requires R&S attributes, (not sure if R&S is truly needed, being looked at)
  • Timetable is still taking shape
  • Will update the wiki page when dates are available https://spaces.at.internet2.edu/display/federation/get-nih-ready

Email message revision re BE v2 compliance
https://docs.google.com/document/d/1IkktKTB2vWo47cnnW1zaVyW3K-UZX6oGfoXui1DheAU/edit   (do not include in public notes)

• Email to those orgs not in compliance w BEv2
• Execs will get same message as Site Admins
• Suggestion to add to the note that the link in the email will work for Site Admins, but not Execs in most cases (unless they are also a site admin)
• Must go to Federation Manager to see the details
• Did we resolve the concern that the Big Ten Academic Alliance IAM  group had about contacting the SPs directly?
• Big Ten thought the IDP operators often don’t have sufficient influence over the SPs, that InCommon may have more influence
• From IDP side, trying to influence SPs is  fighting uphill
• Currently pulls IDP and SP info
• Some confusion around messaging
• Is the suggestion to have a special SP outreach?
• Technical contact for the SP and delegated admin are different
• Delegated admin has some access to federated manager, 
• Can be delegated for certain SPs to make changes for publication
• The Site Admin must approve the changes
• We want delegated admins to move their part of the needle and we need to message this

• • AI Johnny - look into outreach to delegated admins around BEv2, and if we need a different list for that

• • Suggestion to communicate directly to each security contact, but clarify that they must  contact site admin if needed 
  • Johnny has meeting today w EDUCAUSE, hopes to get more feedback from them
  • Suggestion for targeted message just for those missing SIFTFI
•  add security contacts from metadata? 

• How do we communicate to participants the consequence of
  “not scoring ‘A’ on SSLLabs’ test”? 
• Current messaging may not be clear enough
• Don’t want to imply it is needed to get an A to be in InCommon
• EricG: people want specifics, on questions like: can I claim SIRTFI? Do I need to have an A or B on SSL labs testing? 
• TomB: we want to know the schedule for an org to meet the BEv2 requirements
• The issue around whether grade of A on SSL labs testing is required or not is confusing
• Cycle times, CTAB  says: give yourself six months to fix this issue, if that’s not enough, let’s talk.

• Should we have a formal “extension” request for organizations that cannot meet July 2021 target for BEv2?
• Suggestion to add this info to the email message to InCommon site admins and execs, and/or add this to another message in about 2 weeks
• We don’t want organizations to start thinking they must “drop out” of InCommon federation based on SSL Labs score
• Johnny: Plan is for “teeth” to be added for BEv2 on July 19. 
• We will pause changes to metadata for some issues, but NOT for the SSL grade.
• Currently the email says,  “ For assistance, please contact us at help@incommon.org.”
• This is too terse

• AI David - will iterate on the wording in the proposed email outreach to site admins and execs, to be sure the message is welcoming and not scary

• WebID: The End State 
  • https://github.com/WICG/WebID
  • Concern this effort will break conversation between IDP and SP
  • They intend to unpack/unbundle  the attributes the IDP is sending 
  • Challenge is,  browser vendor  can’t be sure if someone is sending info to track authentication or to track the user
  • Want to limit tracking, but still need to allow other things to happen
  • Just disallowing the technologies will break more than authentication
  • EricG has participated in some of the discussions
  • InCommon TAC is involved in these conversations
  • This is a multi year effort, related to SameSite effort
  • No one knows what the end state will look like
  • Comment: Microsoft has some info online, don’t see enough people from R&E included in the conversation.
  • We should be sure our R&E use case is represented
  • Heather F is involved with Google on this and she is communicating w InCommon TAC about it
  • Browsers as another important player in the trust fabric?
  • Suggestion for a federation friendly browser

Next CTAB Call : Tuesday, June 15, 2021