Attending
- David Bantz, University of Alaska (chair)
- Jon Miner, University of Wisc - Madison (co-chair)
- Warren Anderson, LIGO
- Pål Axelsson, SUNET
- Tom Barton, Internet2, ex-officio
- Matt Eisenberg, NIAID
- Ercan Elibol, Florida Polytechnic University
- Richard Frovarp, North Dakota State
- Eric Goodman, UCOP - InCommon TAC Representative to CTAB
- Mike Grady, Unicon Scott Green, Eastern Washington U
- Johnny Lasker, Internet2
- Kyle Lewis, Research Data and Communication Technologies
- Andy Morgan, Oregon State University
- Andrew Scott, Internet2
- Rick Wagner, UCSD
- Ann West, Internet2
- Albert Wu, Internet2
- Emily Eisbruch, Independent, scribe
Regrets
- Meshna Koren, Elsevier
- Kevin Morooney, Internet2
Pre-reads
- draft 2023 CTAB Work Plan
- NIST SP 800-63 Digital Identity Guidelines
Discussion
- Reminder: Internet2 Intellectual Property Reminder
NIST 800-63-4 review
- Links:
- NSPM-33: https://trumpwhitehouse.archives.gov/presidential-actions/presidential-memorandum-united-states-government-supported-research-development-national-security-policy/
- NSPM-33 Implementation Guidance: https://www.whitehouse.gov/wp-content/uploads/2022/01/010422-NSPM-33-Implementation-Guidance.pdf
- NSPM-33: https://trumpwhitehouse.archives.gov/presidential-actions/presidential-memorandum-united-states-government-supported-research-development-national-security-policy/
- CTAB should convene joint group with InCommon TAC (and possibly CACTI and others)
- The review of NIST 800-63-4 is on the InCommon TAC workplan
- Formulate coordinated response from InCommon community
- Goal would be to produce reviewable content by end of February
- Comments are due to NIST by March 24, 2023, series of spreadsheets must be filled in
- Preliminary thoughts:
- The issue of preferred names (lived names) is important. How necessary is “legal” name?
- There are concerns about security within research. Identity team deciding if ORCID identifier is authoritative persistent identifier.
- NIST is influential. Trying to use REFEDs to allow reasonable equivalent. Submitting comments thru NIH channels. IAL1 is too strong. REFEDs high is almost IAL2 , but not IAL1 (!!)
- It's about mitigating risk and how this will work as a tool for us, or not
- NIST 800-63-4 is guidance, per its own FAQ
- Part C, does it describe our federation?
- There is a requirement to signal FAL level, but not an explain on how to implement that.
- The issue of preferred names (lived names) is important. How necessary is “legal” name?
- Next steps: read entire NIST 800-63-4 and then decide which part you want to focus on
- DECISION: Tom Barton will lead a reading group of NIST 800-63-4 (likely weekly meetings). Albert will flywheel. Includes coordinating with InCommon TAC and CACTI.
- Links:
2023 CTAB Work Plan (continued from last CTAB call)
- Workplan Item: Proposal to frame first item in work plan (formerly called XXX Readiness) as
“Framing the next chapter of federation maturity”
- It's not about compliance; it's about being helpful
- Concern this should be scoped more
- Perhaps just do the review of what's available and then decide next steps
- There is work in progress on many related areas, including
- IAM practices - assurance, identity lifecycle management, account mgmt (linking, mapping, decorations)
- data standards / use - schemas, entity categories, etc.
- technical interoperability (SAML, SAML2Int, etc)
- Security and operational practices
- User experience / support
- Others?
- IAM practices - assurance, identity lifecycle management, account mgmt (linking, mapping, decorations)
- Suggestion of a deliverable for people new to federation to help them along, a welcoming document.
- Comment: It would be helpful to have a way to signal items that are not applicable to an organization.
- It's not about compliance; it's about being helpful
- Workplan Item: Clarity on BE enforcements / operationalizing Baseline
- What does it mean to follow Baseline Expectations, including SIRTFI?
- See discussion below
- What does it mean to follow Baseline Expectations, including SIRTFI?
- Workplan Item: Assurance - next steps, rollout
- Some overlap with previous workplan item
- Revise Assured Access working group document https://spaces.at.internet2.edu/display/TI/TI.157.1 of May 2021 in light of RAF (REFEDS Assurance Framework) version 2 (to be released in 2023).
- Can leave this one as a placeholder
- Some overlap with previous workplan item
Comments from Ann West
- Welcome to all new CTAB members
- InCommon advisory group onboarding call is next week
- Several work plan items will require operational support
- Internally InCommon is working on Baseline Expectations compliance
- Would be helpful to get more detailed requirements
- Hope to get value back to community this year on these items
- Please prioritize items 2 and 3 in work plan
SIRTFI
- What should we do about entities not explicitly asserting SIRTFI adherence?
- See background in CTAB notes of Nov. 15, 2022
Steering decided to not remove from InCommon those who are missing BE only because they did not explicitly acknowledge compliance with SIRTFI.
More work is required to clarify what that entails, and what, if any, measures Federation Operator needs to put in place to ensure SIRTFI compliance
- As we look at tools for maintaining / updating metadata, including fresh contacts, etc. we can require organizations to self assert compliance w SIRTFI
- This could be a compromise with the current lack of enforcement with SIRTFI requirement of baseline expectations
- Comment: this sounds like a good compromise
- SIRTFI Exercise Working Group
- Kyle: soon we need to get out a volunteer note for a new SIRTFI exercise Working Group
- Last time it was kicked off in December 2021; Albert will work with Kyle on this
Other Working Group Updates
- InCommon TAC (David Bantz): worked on report of 2022 achievements and draft 2023 work plan:
- Federation testing strategies
- Adoption SAML Deployment Profile and Subject Identifiers
- Future of Federations and Digital Wallets (joint CACTI)
- “Middlethings”
- InCommon use of Anonymous, Pseudonymous and Personalized Entity Categories
- NIST 800-63 rev 4 (joint CTAB)
- Federation testing strategies
Next CTAB Meeting: Tuesday, Feb. 7, 2023