2022-April-19 CTAB Public Minutes

CTAB Call Tuesday April 19, 2022

Attending

• David Bantz, University of Alaska (chair)  
  
• Jon Miner, University of Wisc - Madison (co-chair)
  
• Pål Axelsson, SUNET 
  
• Sarah Borland, University of Nebraska
  
• Richard Frovarp,  North Dakota State 
  
• Eric Goodman, UCOP - InCommon TAC Representative to CTAB  
  
• Andy Morgan, Oregon State University  
  
• Rick Wagner, UCSD 
  
• Jule Ziegler,  Leibniz Supercomputing Centre 
  
• Robert Zybeck, Portland Community College 
  
• Tom Barton, Internet2, ex-officio here 
  
• Johnny Lasker, Internet2  
  
• Kevin Morooney, Internet2  
  
• Ann West, Internet2  
  
• Albert Wu, Internet2 
  
• Emily Eisbruch, Internet2  
  

Regrets

• Ercan Elibol, Florida Polytech Institute
  
• Meshna Koren, Elsevier
  
• Dave Robinson, Grinnell College in Iowa, InCommon Steering Rep, ex-officio
  
• Chris Whalen, Research Data and Communication Technologies 
  

Discussion

• Intellectual Property reminder
  

 Working Group Updates

• • REFEDS Assurance  - no updates
    
  • REFEDs MFA Sub Group
    
    • Editing the proposed draft/ revision to the REFEDs MFA profile
      
    • Hope to have draft for wider group to discuss in next weeks
      
    • Discussion on balance between keeping the profile flexible and usable 
      
    • Want to be clear enough so implementers can make decisions that lead to basis for comparison
      
    • Given strong authentication needs evolving, how to prepare
      
    • Is certificate authentication strong enough?
      
    • What about MFA and Web Authn?
      
    • Single or multi factor for authentication for Web Authn?
      
    • What will be curation evolution process
      
    • MFA profile is de facto a proxy for quality/strength of authentication
      
    • What about, perhaps, an approach that is “strong” but not literally Multi-factor ?

• SIRTFI Exercise Working Group
  
• Several exercise scenarios were presented
  
• Working Group decided to replicate the Authentication and Authorisation for Research and Collaboration (AARC) exercises approach https://aarc-community.org/about/
  

• InCommon TAC Updates
  
  • Focus on work plan items
    
  • One topic is 3rd party certifiers
    
  • What kind of mechanisms should be in place?
    
  • Related to Trustmarks and tags
  • Concept of how federation model works
    
  • Term: pixie dusting
    
  • 3rd party interacts and can assert claim for an entity, instead of federation operator
    
  • Example is R&S
    
    • Federation operator is not as deeply engaged in the research community
      
    • So another authority might be able to vouch for a particular Service Provider
      
  • Comes up in regional networking or system wide scenarios; also comes up in seamless access community, for discovery listing
    
    
• NIH
  
  • There will be a leadership exchange in May 2022, Mike Tartakovsky and Chris Whalen will be speaking, will summarize for the CIOs where we stand, and reinforce the ask
    
    

CTAB Work Plan 

• • Five items are now on the CTAB work plan, other items have been moved to another document
    
  • CTAB members, please to sign up for work plan items that interest you

CTAB TLS / Endpoint Encryption Proposal

• Several steps are outlined in the draft proposal, including outreach and eventually moving to dispute process
  
• Suggestion for eventually having a public record if an entity is not meeting the encryption standard
  
• We would prefer listing entities with current action items pending and do not want to post a list of entities with any security vulnerabilities
  
• There is a recommendation for InCommon operations to check as many elements are possible.
  • Albert notes that this is in the works.
  • InCommon Operations hopes to periodically check all the elements that baseline expectations requires.  
    
    
• Scaling and Workload concerns
  • Currently over 1000 entities are not scoring A in SSL Labs scan
    
  • This is not a one time issue, scores can shift, so think of this as an operational item
    
  • Are we willing to remove from the InCommon Federation an entity that does not get an A score?
    
  • If we create exceptions / loopholes, it gets complex
    
  • Dispute items would come to CTAB
    
  • Eventually some will escalate to InCommon Steering
    
  • See  the community dispute resolution process https://www.incommon.org/federation/dispute-resolution/
    
  • Concerned about the consequence of  triggering community dispute resolution
    
  • Question of scale, if there are more than a handful each month, will require much effort and time. Load/strain on CTAB resources is a concern
    
• Suggestion that we consider this an awareness raising campaign
• Education and advocacy are important
  
• CTAB may want to engage the community on this at some point.
  
  

Next CTAB call:  Tuesday, May 2, 2022