CTAB Call Tuesday October 19, 2021

 Attending

• David Bantz, University of Alaska (chair) 
  
• Brett Bieber, University of Nebraska (vice chair)  
  
• Pål Axelsson, SUNET  
  
• Rachana Ananthakrishnan, Globus, University of Chicago  
  
• Ercan Elibol, Florida Polytechnic University  
  
• Eric Goodman, UCOP - InCommon TAC Representative to CTAB 
  
• Meshna Koren, Elsevier  
  
• Jon Miner, University of Wisc - Madison  
  
• Andy Morgan, Oregon State University  
  
• John Pfeifer, University of Maryland   
  
• Chris Whalen, Research Data and Communication Technologies  
  
• Kevin Morooney, Internet2 
  
• Ann West, Internet2   
  
• Albert Wu, Internet2  
  
• Emily Eisbruch, Internet2  
  
  

Guest

• Kyle Lewis, contractor working for NIAID (National Institute of Allergy and Infectious Diseases)
  
  

Regrets

• Richard Frovarp,  North Dakota State
  
• Dave Robinson, Grinnell College in Iowa, InCommon Steering Rep, ex-officio  
  
• Jule Ziegler,  Leibniz Supercomputing Centre
  
• Robert Zybeck, Portland Community College
  
• Tom Barton, Internet2, ex-officio
  
• Johnny Lasker, Internet2 
  

Discussion

• Intellectual Property reminder
  
• Agenda Bash
  
• Reminder : Next Tuesday, Oct 26 Open Office Hours for BEv2
  
•    Baseline Expectations 2 Dispute Docket + process for tracking extension requests
  

Update on Baseline Expectations V2 (BEv2):

• As of Friday, Oct 15, 2021,  77% of organizations are meeting BEv2 (this does not take SSL score into consideration)
  
• Graph on wiki is updated every Monday using data from Friday
  
• https://spaces.internet2.edu/display/be
  
• 170 orgs do not yet meet BEv2 (this does not take SSL score into consideration)
  
• There is now a link to a public wiki page showing each organization’s status 
  
• https://spaces.at.internet2.edu/display/BE/be2-adherence-by-org
  
• We will start to look at each of the 170 orgs not meeting BEv2
  
  • We may want to prioritize some of the 170 orgs for outreach
    
  • Can sort on Higher Ed orgs versus Commercial orgs
    

Messaging and outreach

• In November 2021, plan to change tone of the messaging, to something like:
  
  • By <date> if you don’t meet BEV2, it will be escalated to InCommon Steering, with potential consequences including eventual removal of entity from InCommon Federation
    
• We will start tracking email bounces of the notification emails to InCommon orgs not meeting BEv2
  
• Site admin at U Nebraska had assumed the Service Providers were also getting contacted with emails about BEv2
  
  • Also, we are not contacting the delegated admins
    
• Suggestion to  modify the messaging to explain who is getting the email notifications about BEV2
  

Extension Requests 

• There will be a form to request an extension for meeting BEv2 (this form is from BEv1, will need updating) https://docs.google.com/forms/d/1h7yYqCZcrLTb854NhEHA_YZutyCY0LyXdWNewNKMKb8/edit
  
• Hope to publish the request for extension form in early December
  
  

BEv2 dispute resolution docket

• Albert has begun the BEv2 dispute resolution docket spreadsheet
• List of all outstanding organizations, allowing us to do tracking  
  
• Will update the docket every Monday when we update the graph on the wiki
  
• If you want access to the dispute resolution spreadsheet, inform Albert
  
  

Nominations for CTAB

• The opportunity to serve on CTAB was publicized at CAMP
• See announcement and application form on InCommon website:
  • https://incommon.org/community/leadership/
    
• So far, there is one nomination, an individual Brett encouraged
  
• Albert knows of another person who plans to nominate themself
  
• CTAB charter allows up to 13 members
  
• We have 13 members currently
  
• 3 CTAB members terms are ending this year
  
• 1 will not be returning
  
• Another person intends to renominate themself
  
• At end of 2022, there will be more CTAB members with terms ending
  

Plan for Tabletop Exercise for SIRTFI, (Kyle Lewis) 

• • See slides (do not include in public notes) 
    
  • IBRSP (International Biomedical Research Support Program) is required to conduct annual exercises training on the Security Incident Response Plan (FISMA requirement) 

  • IBRSP is part of InCommon; InCommon Baseline requires Sirtfi compliance. 

    • Therefore, Sirtfi part of the “cyber security fabric”. 

  • Kyle has spoken at various events recently including CAMP/ACAMP and has proposed to InCommon to run SIRTFI exercises
  • Requesting from CTAB to support/sanction the SIRTFI exercise effort  and  charter a working group
    
    
  • Meshna supports this and comments that a standard recommendation on what to log for SIRTFI, and what info to exchange after an event, would be a welcome outcome of this exercise, It is not clear to an SP what data should be shared with an IdP (and vice versa) for the other party to be able to identify an individual credential or a specific session. If we had a standard piece (one or more) of data that is agreed upon to being logged for the purpose of SIRFTI then the exchange would have been much simpler.      
• 
  
  • Andy Morgan supports this 
  • Brett: supports this, practice will be very helpful, higher visibility will be good
    
  • AnnW: this SIRTFI exercise is a great idea, InCommon should support this
    
  • Messaging will be important, to stress that the exercise will help you, it’s not a test
    
  • Not pass fail
    
  • DECISION: CTAB supports this effort
    
  • Should CTAB lead this and charter a working group? YES
    
  • Other groups need to be involved,
    • SIRTFI Working Group at REFEDs  
    • REN-lSAC https://www.ren-isac.net/
    • edugain security team
      
  • We should reach out to the other groups to have a call about the  SIRTFI exercise effort
    
  • This may be better as a broad collaborative working group supported by multiple organizations.
    
  • Charter could include membership from other organizations
    
  • It will help to be explicit on the goals we want to achieve.
    • Is one of the goals to  inform the SIRTFI working group on improvements to SIRTFI?  This could help drive participation.
      
  • Kevin: principle of keeping it actionable is good 
    
  • Figure out who we need from the other organizations
    
  • There have been some SIRTFI exercises in Europe
    
  • https://aarc-community.org/wp-content/uploads/2019/03/AARC-I051-Guide-to-Federated-Security-Incident-Response-for-Research-Collaboration.pdf
  • Kyle has spoken with Hannah Short
    
  • AI Albert and David B will organize a meeting to move this SIRTFI exercise effort forward
    

DID NOT COVER THESE TOPICS

• CAMP/ACAMP follow up / debrief: what were your takeaways? What should/can CTAB do next?

•  REFEDS MFA Subgroup update
  
• FAQ: https://wiki.refeds.org/display/PRO/MFA+Profile+FAQ 
  
• Next steps
  
• Federation Testing WG

Next CTAB call: Tuesday, Nov. 2, 2021