CTAB Wed., Aug 14, 2019
Attending
- Mary Catherine Martinez, InnoSoft (chair)
- David Bantz, University of Alaska (vice chair)
- Brett Bieber, University of Nebraska
- Rachana Ananthakrishnan, Globus, University of Chicago
- Brad Christ, Eastern Washington University
- Eric Goodman, UCOP - TAC Representative to CTAB
- Adam Lewenberg , Stanford
- Jon Miner, University of Wisc - Madison
- John Pfeifer, University of Maryland
- Emily Eisbruch, Internet2
Regrets
- Chris Whalen, Research Data and Communication Technologies
- Chris Hable, University of Michigan
- John Hover, Brookhaven National Lab
- Tom Barton, University Chicago and Internet2
- Ann West, Internet2
- Albert Wu, Internet2
Action Items
- [AI] (MC and David) produce first draft of blog about BE V2 survey results by next CTAB call Aug 28
- [AI] Emily reach out to Dean about upcoming blog on BE V2 Survey results and deadline for inclusion in an InCommon newsletter (done, deadline is Aug. 23, 2019)
Discussion
- Baseline Expectations v2 survey response
- Received 86 responses
- How to we publish results to the community?
- Decision: publish a blog summarizing the results
- [AI] (MC and David) produce first draft of blog about BE V2 survey results by next CTAB call Aug 28
- Drafting Baseline v2 document and submit for community consensus
- Do we have a request for other BE elements?
- When do we produce the draft for community consensus? - goal is end of Sept
- More about community consensus here: https://www.incommon.org/federation/community-consensus/
- Proposed Schedule:
- Blog - end of Aug
- Draft of actual BE v2 doc- end of Sept
- Community consensus - starts by Oct.
- BE v2 community consensus process:
- Idea: smaller group(s) to write clear positions on what each of the elements mean - what it is, what it means to implementers, what it means to users, impact of
- implementation technology evolution has on how we phrase Baseline statements, etc.
- Will need volunteers/conscripts to convene discussion; set deadline
- likely for subgroup and/or 8/30 discussion
- There is a need to clarify what CTAB really recommending in Baseline relative to “REFEDs MFA”
- What does support REFEDS MFA Profile mean for each party in Federation? https://wiki.refeds.org/display/PRO/MFA+Profile+FAQ
- Could follow up on the results from the survey.
- https://spaces.at.internet2.edu/display/InCFederation/Research+and+Scholarship+Category
- In order to be in compliance with R&S, the institution does not need to release R&S for everyone on campus, just for some subset.
- There are FERPA and GDPR concerns about R&S at some campuses, on the part of registrars and some others
- There are many dept of education documents on FERPA and what is really required.
- If R&S is included in BE 2.0, how do we handle institutions that cannot comply due to policy?
- There are a few campuses where a registrar or privacy officer, refuses to release R&S across the board.
- Within BE v1, there is a line for Service Providers about not misusing the attributes.
- https://www.incommon.org/federation/baseline-expectations-for-trust-in-federation/
- REFEDs MFA
- Requiring MFA as part of baseline does not mean you must implement MFA. But if you do, here is the type of response required, and define that exactly.
- We should also explain “failure case”: If you don’t have MFA, what should the response be.
- The idea is NOT to fail with an opaque or unexplained error
- IDP must be configured a certain way to handle the REFEDs MFA error case gracefully
- EricG has been working on this issue at UCOP, for Shib IDPs, no cookbook for that yet
- Discuss this more on next CTAB call
- Should we include foreshadowing of BE v3, perhaps in the blog?
- R&S attributes being released by default as part of BE - likely for subgroup and/or 8/30 discussion
- Helpful to get to the bottom of the concerns about R&S, loss of control is one concern.
- The question gets asked “what is legal recourse?” In fact there is no legal recourse, but the risk is small.
- Find out what could be added to SIRTFI to make the next step successful
- An argument for including R&S in baseline v2 could be to motivate a more meaningful discussion
- SPs are in favor of R&S, and this was heard in the work of the Attributes for Collaboration and Federation WG. http://doi.org/10.26869/TI.101.1
- R&S, or other attribute release, includes the value of the InCommon Federation.
- Currently there is a need for a lot of one-off attribute release to individual Service Providers
- With rise of Web AUTHN and FIDO, credentials will become less of a big deal
- In that environment, Value of IDPs could decrease
- Without R&S, there will be workarounds, not involving InCommon, including social media and other less secure approaches
- The role of consent is important in the discussion also
- Update on SIRTFI/CTAB taskforce on issues of metadata freshness/accuracy: a meeting has been scheduled
- Proposal was: SIRTFI and CTAB work together on exploring these issues of accurate, fresh metadata, for SIRTFI and then take the learnings to other federations to make this a global issue.
- Volunteers are David Bantz , ChrisW, Albert, ScottK and TomB
- Albert will convene the group
Next CTAB call: Aug. 28, 2019