CTAB call Tuesday, June 1,  2021

Attending

  • David Bantz, University of Alaska (chair)  
  • Brett Bieber, University of Nebraska (vice chair) 
  • Pål Axelsson, SUNET   
  • Eric Goodman, UCOP - InCommon TAC Representative to CTAB 
  • Meshna Koren, Elsevier   
  • Jon Miner, University of Wisc - Madison  
  • Andy Morgan, Oregon State University  
  • John Pfeifer, University of Maryland  
  • Dave Robinson, Grinnell College in Iowa, InCommon Steering Rep, ex-officio 
  • Jule Ziegler,  Leibniz Supercomputing Centre  
  • Robert Zybeck, Portland Community College  
  • Ann West, Internet2    
  • Emily Eisbruch, Internet2  
  • Chris Whalen, Research Data and Communication Technologies 
  • Johnny Lasker, Internet2  
  • Kevin Morooney, Internet2 
  • Rachana Ananthakrishnan, Globus, University of Chicago  
  • Tom Barton, University Chicago and Internet2, ex-officio    

Regrets

  • Ercan Elibol, Florida Polytechnic University 
  • Richard Frovarp,  North Dakota State 
  • Albert Wu, Internet2  


New Actions Item from this call

  • AI Johnny - look into outreach to delegated admins around BEv2, and if we need a different list for that
  • AI David - iterate on the wording in the proposed email outreach to site admins and execs, to be sure the message is welcoming and not scary

Discussion

Working group updates

  • Assured Access  Working Group 
  • Proposed improvements to the draft:
    • add mention of bronze and silver profiles
    •  include the eduPersonAssurance attribute, conforming to REFEDs baseline
    • Getting towards cappuccino profile or espresso profile, etc.
    • Aspects beyond identity assurance
    • To assert those levels, must assert the base prefix for REFEDs assurance
    • Brett will incorporate that
  • Will help to have CTAB think through how to solicit for more input as we get closer to consultation close date
  • Ann: Had call w NIH around organization support of REFEDs Assurance Framework (RAF), identity proofing qualifiers, working to get NIH ready  
  • NIH will put up a website this week hopefully, with links to InCommon and REFEDs
  • Suggestion to add to the Assured Access WG draft another assertion to add inside the multi valued attribute being released.
  • It’s mechanics for members of InCommon, they should be supporting that through Baseline Expectations
  • TomB:  topics for the Assured Access WG:
    • as campuses start implementing, people will need a place to go for questions that arise, need to specify where to get questions answered
    • There are processes that undergird identity proofing profiles based on relationships
    • NIST dropped this approach from version 2 to version 3
    • But relevant in academia 
  •  Brett AIs
    •  Incorporate feedback into the draft doc
    • Draft info on how bronze and silver align
    • Schedule meeting of Assured Access Working Group to review feedback from consultation 
  • NIH update (compliance tool data)
    • Meetings are biweekly with NIH 
    • Info on the results of using a compliance check tool
    • NIH IDM people updated the compliance check tool to be useful for IDP operators
    • It was originally for researchers 
    • Goes into the details around meeting the NIH requirements
    • Data will be sent to us on results of using the compliance tool 
      • Will use this data for a progress chart
      • To show how the community is responding to the NIH requirements
    • New NIH webpage will be helpful
    • Privacy policy for NIH is being worked on, this was an issue for some of the UK institutions, some resistance to being sent to PubMed, and concern about how R&S would be handled
    • Pubmed moving to solely federated access
    • Requires R&S attributes, (not sure if R&S is truly needed, being looked at)
    • Timetable is still taking shape
    • Will update the wiki page when dates are available https://spaces.at.internet2.edu/display/federation/get-nih-ready

Email message revision re BE v2 compliance
https://docs.google.com/document/d/1IkktKTB2vWo47cnnW1zaVyW3K-UZX6oGfoXui1DheAU/edit   (do not include in public notes)

    • Email to those orgs not in compliance w BEv2
    • Execs will get same message as Site Admins
    • Suggestion to add to the note that the link in the email will work for Site Admins, but not Execs in most cases (unless they are also a site admin)
    • Must go to Federation Manager to see the details
    • Did we resolve the concern that the Big Ten Academic Alliance IAM  group had about contacting the SPs directly?
      • Big Ten thought the IDP operators often don’t have sufficient influence over the SPs, that InCommon may have more influence
      • From IDP side, trying to influence SPs is  fighting uphill
      • Currently pulls IDP and SP info
      • Some confusion around messaging
      • Is the suggestion to have a special SP outreach?
      • Technical contact for the SP and delegated admin are different
      • Delegated admin has some access to federated manager, 
      • Can be delegated for certain SPs to make changes for publication
      • The Site Admin must approve the changes
      • We want delegated admins to move their part of the needle and we need to message this
    • AI Johnny - look into outreach to delegated admins around BEv2, and if we need a different list for that
    • Suggestion to communicate directly to each security contact, but clarify that they must  contact site admin if needed 
    • Johnny has meeting today w EDUCAUSE, hopes to get more feedback from them
    • Suggestion for targeted message just for those missing SIFTFI
  •  add security contacts from metadata? 


  • How do we communicate to participants the consequence of
    “not scoring ‘A’ on SSLLabs’ test”? 
    • Current messaging may not be clear enough
    • Don’t want to imply it is needed to get an A to be in InCommon
    • EricG: people want specifics, on questions like: can I claim SIRTFI? Do I need to have an A or B on SSL labs testing? 
    • TomB: we want to know the schedule for an org to meet the BEv2 requirements
    • The issue around whether grade of A on SSL labs testing is required or not is confusing
    • Cycle times, CTAB  says: give yourself six months to fix this issue, if that’s not enough, let’s talk.
    • Should we have a formal “extension” request for organizations that cannot meet July 2021 target for BEv2?
    • Suggestion to add this info to the email message to InCommon site admins and execs, and/or add this to another message in about 2 weeks
    • We don’t want organizations to start thinking they must “drop out” of InCommon federation based on SSL Labs score
    • Johnny: Plan is for “teeth” to be added for BEv2 on July 19. 
    • We will pause changes to metadata for some issues, but NOT for the SSL grade.
    • Currently the email says,  “ For assistance, please contact us at help@incommon.org.”
    • This is too terse
  • AI David - will iterate on the wording in the proposed email outreach to site admins and execs, to be sure the message is welcoming and not scary


  • WebID: The End State 
    • https://github.com/WICG/WebID
    • Concern this effort will break conversation between IDP and SP
    • They intend to unpack/unbundle  the attributes the IDP is sending 
    • Challenge is,  browser vendor  can’t be sure if someone is sending info to track authentication or to track the user
    • Want to limit tracking, but still need to allow other things to happen
    • Just disallowing the technologies will break more than authentication
    • EricG has participated in some of the discussions
    • InCommon TAC is involved in these conversations
    • This is a multi year effort, related to SameSite effort
    • No one knows what the end state will look like
    • Comment: Microsoft has some info online, don’t see enough people from R&E included in the conversation.
    • We should be sure our R&E use case is represented
    • Heather F is involved with Google on this and she is communicating w InCommon TAC about it
    • Browsers as another important player in the trust fabric?
    • Suggestion for a federation friendly browser


Next CTAB Call : Tuesday, June 15, 2021

  • No labels