CTAB Wed April 24, 2019
Attending
- Mary Catherine Martinez, InnoSoft (chair)
- Brett Bieber, University of Nebraska
- David Bantz, University of Alaska
- Tom Barton, University Chicago and Internet2
- Brad Christ, Eastern Washington University
- Eric Goodman, UCOP - TAC Representative to CTAB
- Jon Miner, University of Wisc - Madison
- John Pfeifer, University of Maryland
- Albert Wu, Internet2
- Emily Eisbruch, Internet2
Regrets
- Rachana Ananthakrishnan, Globus, University of Chicago -
- Chris Hable, University of Michigan
- John Hover, Brookhaven National Lab
- Adam Lewenberg, Stanford
- Chris Whalen, Research Data and Communication Technologies
- Ann West, Internet2
Action Items from this call
[AI] CTAB members chime in on the draft BE Adherence Guide, especially
a. whether these are the statements we want to bring to consensus and
b. whether wording (degree of required-ness) is appropriate
DISCUSSION
Should CTAB receive standing updates from related committees and working groups?
- It was noted that InCommon TAC has updates from other groups as a big portion of each call
- Decision: CTAB should hear reports on TAC and other groups as needed
- When appropriate, updates from TAC (to be provided by Eric Goodman or David Bantz) can be inserted into the CTAB agenda during the agenda bash
Baseline Expectations Closing Update
- The communications sent to the community in mid-April inspired movement on the part of several organizations who were on the list of “intent to be removed”
- See latest status: https://spaces.at.internet2.edu/x/ZAJ0C
- There are only a few organizations still on the “intent to be removed” list
- It was decided to provide a deadline when an organization tells us they are working on making the updates to meet BE
- Two weeks from the conversation with InCommon ops should be the standard deadline.
- Albert will update the dockets with deadlines as they are communicated to the participants
2019 Baseline Expectation Roadmap
- Albert has worked on proposed updates to the foundational baseline expectation doc, http://doi.org/10.26869/TI.34.1
- compliance with SIRTFI has been added in the proposed draft
- There is a second document, BE Adherence Guide, has more detail
- It was decided the next version of the foundational BE doc should be version 2 (not version 1.1)
SIRTFI and next version of Baseline Expectations - Question: Do we want SIRTFI to be a requirement for BE, or a sufficient means of meeting the security baseline expectations?
- One concern is that SIRTFI is about incident response, not about security as a whole?
- Also do we need to put a version number for SIRTFI?
- Brett suggests we state SIRTFI can be a means of meeting the security requirement
- This fits with the idea of clarification of the baseline expectation around security
- SIRTFI’s Traffic light protocol can be an issue. SIRTFI has a requirement to use traffic light protocol to communicate with other participants.
- Could we break SIRTFI into components?
- TomB: SIRTFI’s intro provides some flexibility into how strictly each section must be adopted,
- much of SIRTFI compliance is not observable from outside the organization
- Last resort can be community dispute resolution process if some entity objects to the level of a federated partner’s adherence
- Acceptable use policy is part of SIRTFI,
- Some institutions can’t provide acceptable use policy exactly,
- may be part of a university system that has a slightly different policy
- (there can be union negotiation implications to acceptable use policy)
- For matters that are externally provable , baseline expectations is proving them.
- But for matters that are internal, does CTAB want to know the details of the institution’s tradeoff? Or just want the yes/no flag?
- Could create entity category around a requirement, but not require it as part of BE
- SIRTFI will evolve, is it currently a good enough common standard that will not cause shock if Baseline Expectations suggests it?
- How many orgs might leave if SIRTFI becomes part of BE? https://refeds.org/wp-content/uploads/2016/01/Sirtfi-1.0.pdf
- It was noted that any proposed change to BE would go out for community consultation, providing a chance for community reaction and feedback
- Suggestion to add mention of SIRTFI in the draft BE Adherence Guide
- TomB suggests including SIRTFI in the BE statements, to encourage discussion
- Suggestion to require SIRTFI for federation manager access
- Suggestion for annual community tabletop discussion
- Community BE Tabletop could be a good TechEx Topic
- We may want to keep track of concerns on proposals around next phase of BE
- Next steps are for CTAB to keep working on the draft BE updates doc and the BE adherence guide doc
[AI] CTAB members chime in on the draft BE Adherence Guide, especially
a. whether these are the statements we want to bring to consensus and
b. whether wording (degree of required-ness?) is appropriate
Agenda items not discussed on this call
- Connection and link to BE foundation doc and PA
- Research orgs frustrations - how do they feed BE2019
- Discussions within TAC, Net+ regarding IdPs
- “Jack Suess” Badging thread . see above (David/MC/Albert)
- Does CTAB wish to chime in?
- How do we bring next set of BE requirements to the community? (question for Tom)
- Do we position this as an addendum to current BE?
- Do we start a new round of community consensus?
- What is the timing for communication/engagement?
- Question for the group - future CTAB work / agenda ideas (MC)
Next CTAB Call: Wed,, May 8, 2019