CTAB call of September 1, 2020

This was an off-week CTAB call to finish reviewing comments and editing the Baseline Expectations v2 Implementation Guidance and Best Practices document


 Attending

  • David Bantz, University of Alaska (chair)  
  • Brett Bieber, University of Nebraska 
  • Pål Axelsson, SUNET  
  • Tom Barton, University Chicago and Internet2, ex-officio  

  • Richard Frovarp,  North Dakota State  

  • Jon Miner, University of Wisc - Madison    
  • Marc Wallman, North Dakota State University, InCommon Steering Rep, ex-officio  
  • Robert Zybeck, Portland Community College  
  • Johnny Lasker, Internet2  
  • Ann West, Internet2
  • Albert Wu, Internet2  
  • Emily Eisbruch, Internet2  
  • Dean Woodbeck  

Regrets

  • Mary Catherine Martinez, InnoSoft (vice chair)
  • Rachana Ananthakrishnan, Globus, University of Chicago  
  • John Pfeifer, University of Maryland
  • Eric Goodman, UCOP - TAC Representative to CTAB 
  • Ercan Elibol, Florida Polytech Institute  

  • Chris Hable, University of Michigan

  • Chris Whalen, Research Data and Communication Technologies 

  • Jule Ziegler,  Leibniz Supercomputing Centre


Discussion

Intellectual Property reminder   

BE2 Implementation Guidance & Best Practices                                                                   

  • Albert implemented the suggestions to the document made on the last call, including 
    • improved statement numbering
    • There are now subsection markings and references to the SAML2 profile 
  • Secure endpoints section
    • Moved the OWASP reference to the footnote
    • Changed  “should” to “shall”
    • The 90 day countdown period was clarified
    • annual testing by the federation operator:   “The Federation Operator SHALL test each registered entity at least every 365 days. It SHOULD test when a significant change event occurs (e.g., changes in the entity’s metadata, SSL Lab changing the grading criteria, etc.)”
  • SIRTFI section
    • Clarified the statement about SIRTFI as applied to federated single sign on
    • Added text that indicates that checking box about complying with SIRTFI acknowledges responsibility
  • Albert will work on wording around informing the exec
  • Wording around Health Check reports has been clarified
  • Error URL section: A title was changed in one place


BEV2 Implementation Planning
     

    • Package I: Pre-requisite changes required for Participant Implementation
    • Package II: Additional Features / Refinements
  • Package 1
  • Focus on things the Federation operator must put in place
  • Federation operator health check reports
  • Federation Operator starts warnings to entities that don’t meet Baseline

  • Package 2 
  • Do automated scanning at scale
  • Will look at endpoints, will also look at contacts

  • Plan is to use QUALYS for scanning
  • Need to modify backend infrastructure to mark last scan date
  • Trigger scans based on  
    • If entity  not scanned within a year
    • If entity has been updated for certain data elements, especially endpoints updates  
    • If SSL Labs has significant changes in grading criteria
    • Possibly other trigger points for a scan, such as a change to the Site Admin
  • Will relax the requirement for the privacy, logo and error URLs in metadata to  have 200 response code, certain other redirects will be allowed

  • Future: stop the ability to register metadata that does not meet baseline
  •  notify and eventually, if required, remove those entities that do not meet BE
  • For health checks, the goal is to create a database that can be queried, to make the process more dynamic and flexible

  • Opportunity to decide carrot or stick, for health checks
  • During implementation  we may  send  targeted emails for those not in compliance
  • Nice to acknowledge those in compliance, but don’t want to imply they will be in compliance in future, as things can change
  • There is a RACI chart,  geared towards internal use, but CTAB is represented generally. CTAB is accountable for making sure BE2 is done
  • Begin next week and complete before end of 2021. 
  • Transition date goal around July 1, 2021
  • Due to pandemic, schools may be occupied with other matters
  • Similar to schedule for BEv1
  • If not for pandemic, possibly BEv2 would have been scheduled at slightly faster pace

Communications and Outreach

  • Dean suggests we consolidate communications on a regular cadence, about every other month
  • In parallel with some targeted outreach to those not in compliance
  • Planning for some office hours, depending on the need

  • An important milestone is online CAMP and ACAMP,   November 16-20, 2020
  • https://incommon.org/academy/camp-meetings/2020-virtual-camp-and-advance-camp/
  • After that start the implementation phase
  • Have FAQs and other materials ready at that point
  • Impact analysis: community may not be informed about how much of a lift
  • Have some of the reporting prior to finalizing
  • Updating the data we have
  • QUALYS SSL lab scans, we have initial report from many months ago
  • Albert: we are working on the impact analysis
  • We expect there may be significant lift around Error URL
  • Scanning has been tricky because it takes so long to scan 
  • Hope to do the one time scan using QUALYS SSL
  • It was noted that InCommon Steering will also be interested in seeing an impact statement

Next Steps:

  • Albert will finalize the implementation doc
  • Feel free to send additional comments.
  • To start the Trust and Identity consultation, we must officially announce the opening of consultation, 
  • Could launch consultation on Sept 8. 
    Trust and Identity Consultations


Next CTAB Call: Tuesday, Sept. 8, 2020, day after Labor Day

 

  • No labels