CTAB call Tuesday, March 9, 2021

Attending

  • David Bantz, University of Alaska (chair) 
  • Pål Axelsson, SUNET  
  • Rachana Ananthakrishnan, Globus, University of Chicago  
  • Tom Barton, University Chicago and Internet2, ex-officio 
  • Ercan Elibol, Florida Polytechnic University  
  • Richard Frovarp,  North Dakota State  
  • Eric Goodman, UCOP - InCommon TAC Representative to CTAB 
  • Meshna Koren, Elsevier  
  • John Pfeifer, University of Maryland  
  • Dave Robinson, Grinnell College in Iowa, InCommon Steering Rep, ex-officio  
  • Chris Whalen, Research Data and Communication Technologies 
  • Jule Ziegler,  Leibniz Supercomputing Centre 
  • Robert Zybeck, Portland Community College  
  • Johnny Lasker, Internet2  
  • Kevin Morooney, Internet2
  • Albert Wu, Internet2  
  • Emily Eisbruch, Internet2 

Regrets

  • Brett Bieber, University of Nebraska (vice chair)
  • Jon Miner, University of Wisc - Madison
  • Andy Morgan, Oregon State University
  • Ann West, Internet2

Action Items

  • AI - TomB will take issue of a standard to tell the SP what they can report back to IDP when abuse is detected to SIRTFI working group and report back to CTAB

  • Intellectual Property reminder   

Discussion


Potential Gap in SIRTFI

  • Meshna noted that it would be helpful to have a standard around what SP's can/should report back to the IDP when they detect abuse,
  • when there is a security incident related to a credential
  • to help the IDP find and handle the situation around the compromised credential.
  • TomB: (chairs the REFEDs SIRTFI working group), yes this is likely a gap in SIRTFI.  
  • There is a handbook, not yet circulated, that will reference templates and other materials 
  • AI, Tom will take issue a standard to tell the SP what they can report back to IDP when abuse is detected to SIRTFI working group and report back to CTAB


Around the community

    • Trust and Identity Operations Update 
      • Johnny is readying a release for tomorrow, with bug fixes
      • Ruby upgrade for the Federation Manager
      • Outreach around Baseline Expectations v2 will start this week
      • Finalizing communications for BEv2
      • Will do biweekly communications (to site admins first)
      • Reports for baseline are in a google share drive
      • Have not announced BEv2 yet; therefore the data is flat  
      • ShannonR is working on automation of testing TLS 

    • InCommon TAC updates  
      • InCommon TAC is finishing 2021 workplan development
      • Forming a recommendation on what InCommon should do around the SAML deployment profile,
      • https://docs.kantarainitiative.org/fi/rec-saml2-Deployment-profile-for-fedinterop.html
      • Profile does not include pushing for subject ID adoption this year
      • For CTAB next year, it may be relevant to look at whether the elements in the SAML deployment profile  are useful for guidance around baseline
      • Work with Google and privacy initiatives, looking at same site cookies on steroids
        • Nicole Roy is participating, want to ensure we don't "break" SAML
        • This is a serious issue, if Google left alone could have bad consequences
      •  There is a new InCommon TAC working group spinning up to look at issues around testing environments
      • InCommon TAC is looking at the work of Seamless Access and also tracking CTAB’s work around assurance

    •  REFEDS Working Groups  (Assurance WG; Baseline Expectations WG; R&S 2.0 WG )
      • REFEDs Assurance WG   
        • There is a subgroup forming for topics related to MFA
        • Jule will give presentation at next R&S v2.0 working group call on the eduperson assurance attribute   

Assured Access Working Group Updates

  • Assured Access Working Group is making good progress
  • At last meeting, the working group
    • discussed local enterprise, laid out proposed structure of draft report
    • BE allows every InCommon participant operating in IDP to assert claim for wide swath of users
    • Brett shared draft of recommendations, will be filled in during coming weeks  
    • Albert will likely work on creating a decision tree


Updates on NIH happenings

  • Albert building a timeline around what’s happening at NIH around requirements
  • Things are still shifting to some extent; some segments of NIH are still developing timeframe for logon requirements
  • eRA is requiring MFA and R&S by Sept 15, 2021 by single sign-on or logon.gov
  • Pubmed blog announces transition to federated credentials for 2021
  • Albert creating a set of wiki pages
  • https://docs.google.com/document/d/1lealFqLesBToPi96BV_fjLBYu6hw6Hs0gl7skY2cVu4/edit  DO NOT SHARE IN PUBLIC NOTES
  • Hope to provide a timeline sharing what we know
  • InCommon office hours are scheduled for Wed. March 10 where we can being to answer questions the community may have
  • Ann West sent email to schools with eRA grants, received a few responses
    • There is potential confusion between what NIH announced as being required (MFA,  R&S and identity assurance) and recent communication about   requirements for eRA (MFA and R&S)
  • Cooperation between InCommon and NIH has been going well in working out the requirements and steps needed.


Framing BEv3  

  • We are sort of in a race; researcher / researcher community wants richer/safer/easier ways to interact, or they’ll seek alternatives 
    •  →we need to go fast
  • Bringing along orgs not focused on research takes time 
    • →we need to go slow
  • How do we balance?
  • Want to be sure that InCommon scales to make it possible for institutions to have the resources/access they need

  • Require Research and Scholarship Entity Category (R&S) in BEv3? 
  • There is value to including R&S in baseline expectations
  • But we need to be careful not to make it too high a burden to be in the InCommon federation
  • ChrisW: was very concerned about making the burden too high, when CTAB worked on BEv1
  • But the number of organizations that dropped out of InCommon was very small. They were organizations that were not using InCommon federation anyhow
  • BEv1 was relatively easy to comply with
  • Including R&S in BE can challenge organizations’ technology choices
  • There are other use cases besides research
  • Some organizations join InCommon for commercial use cases
  • Should we have baseline expectations plus, where requirements are set based on the nature of the collaboration?
  • Comment: We should be careful in partitioning the federation
  • When CTAB discusses R&S, common topics are:
    • technology challenges, and IDP as a Service as potential mitigation for that, and 
    • attribute release and privacy issues
  • Suggestion that CTAB do in depth look at potential mitigations, to address the issues that stall our discussions
  • Reminder: InCommon TAC is implementing some of the recommendations  of the IDP as a Service working group

  • MFA is another issue as CTAB considers BEv3
  • Agreed supporting MFA is good and necessary
  • We get stuck on how an SP and IDP communication around MFA
  • We want to use REFEDs MFA profile https://refeds.org/profile/mfa
  • How do we help schools that use products that don’t support the REFEDs MFA approach?
  • Azure or ADFS users may not be willing to add another layer of technology, they see more technology and more risk
  • There are sometimes bilateral relationships with institutions and researchers when an institution cannot assert MFA
  • But there are dangers to bilateral relationships
  • There are business choices, risk based choices
  • SP perspective: use case of Elsevier, students needing to reach articles,
    • MFA becomes a burden
  • Many SPs will not require all IDPs to support MFA
  • Signaling support of MFA or not makes most sense
  • Globus supports different levels
  • Ability to signal how you perform authentication is important
  • Ability to signal MFA may be part of certain profiles

  • Summary:
    • Makes sense to create a subgroup or working group to lay out the considerations  
    • Create a map to understand what is fundamental and what is specific to certain cohort
    • Start a working group to put move this discussion ahead, frame the questions
    • Hope Rachana might take the lead
    • Discuss at next CTAB call


 Next CTAB call: Tuesday, March 23, 2019 [Summer or Daylight Time will have begun in U.S.]

 

 

 

  • No labels