InCommon Steering Committee Meeting Minutes - February 5, 2018
Minutes
Attending: Sean Reynolds, Michael Gettes, Ted Hanss, Ann West, Laura Paglione, Mike Erickson, Klara Jelinkova, Dee Childs, Dave Vernon, Marty Ringle
With: Brett Bieber, Kevin Morooney, Mark Scheible, Von Welch
Minutes from Jan. 26 are approved (via the wiki)
Community Trust and Assurance Board (CTAB)
Brett Bieber presented the nominees to CTAB to begin their terms in January 2018
Chris Hable, University of Michigan
Mary Catherine Martinez, InoSoft Fusion
Jon Miner, University of Wisconsin-Madison
David Bantz, University of Alaska
CTAB Membership Approved
Moved by Melissa, seconded by Marty to approve this slate of candidates to join the CTAB. Unanimously approved.
Brett mentioned that the next Baseline Expectations webinar (Feb. 21) will provide the current status of participants meeting the automatically verifiable Baseline Expectations (derived by basic checks of the metadata).
Overall - 7% meet BE
Have logo - 18.8%
Privacy policy - 20.4%
Admin contact - 42.1%
Tech contact - 90.8%
Security contact - 6.2%
InCommon has sent notes to the execs and admins that this is coming and has held several webinars. During February, execs and admins will begin receiving metadata health checks, letting them know about the status of all of their IdPs and SPs. These health checks will be sent periodically.
Melissa mentioned that central IT may not have control of all of the SPs in their organizations. Brett said the CTAB will be working on providing some assistance in terms of finding or developing privacy policies, logos, and other parts of the expectations.
There was conversation about the privacy policy and whether that implies any responsibility for notification of security breaches. Ann said that is not the case, that the privacy policy URL requirement is just to expose an existing policy to the user.
Sean asked if Steering could receive a monthly report on the progress of entities meeting Baseline. The plan is to develop a dashboard to show this information, but also to maintain the longitudinal data.
Participation Agreement (PA) and Federation Operating Policies and Practices (FOPP)
Both the PA (the legal agreement) and FOPP will require changes to accommodate Baseline Expectations. We are moving toward requirements, which is new. Once the new PA is approved (which is done by Steering), it is published and the changes go into effect after 90 days.
The PA and FOPP drafts provided for this meeting are not yet final. The final versions will be reviewed and approved by CTAB prior to Steering’s action. The goal is to ask Steering to vote on the final versions at the March 5 meeting.
The FOPP is the root of all that InCommon does as a federation operator. The draft also includes some housekeeping changes. Some of the relevant changes are:
Section 3 now includes the Baseline Expectations document and the Community Dispute Resolution Process documents in the list of policy documents
The POP references are removed and replaced by BE
The dispute resolution process is changing. All disputes will go first to operations. If the issue relates to InCommon operations and remains unresolved, the issue goes to Steering. If it relates to a community-to-community issue, it goes to CTAB.
Section 10.3.3 refers to suspension for failure to meet Baseline.
Question: Have there been conflicts in the past that have not had a path for resolution? Answer: InCommon operations has not been a compliance body, so some disputes are unresolved. We know, for example, there are Research & Scholarship IdPs that don’t adhere to the specification and we anticipate receiving a list of such IdPs from research service providers. InCommon staff will ensure that the organizations have tried to communicate to one-another. If that does not resolve the situation, the issues goes to CTAB and a document will be published stating that the entity does not meet Baseline. Eventually unresolved situations will end up with Steering.
Question: Are the roles in metadata clearly defined (admin contacts, technical contacts)? Answer: the InCommon website has defined the roles. We will also use the webinars and communications to clarify that for participants.
Question: Section 1.1 on Assurance - might that section disappear or change? Answer: that will eventually change in the FOPP. Once we’ve gone through the due diligence of reviewing the Assurance program to determine whether we continue with that. With the FOPP, all we need to do is publish the new document (no 90-day review).
The PA should be derived from the FOPP, so the changes in the PA should follow the FOPP changes.
(AI) Dean will attach the Baseline Expectations dispute resolution process flowchart to the Steering wiki.