By David Bantz, University of Alaska and vice-chair of CTAB
In 2017, the InCommon Community Trust and Assurance Board (CTAB) began leading the InCommon community to develop and transition to Baseline Expectations for Trust in Federation. The Baseline Expectations define a set of common practices aimed to increase trust, make collaboration more predictable, and ensure that the InCommon Federation’s strategic value to research and education continues to grow.
In July 2019, we reported the conclusion of the transition to Baseline Expectations: the InCommon community had worked to meet the first set of Baseline Expectations with 100% adherence.
At the same time, CTAB announced a survey to solicit the community’s input on future Baseline Expectations components and requirements.
In particular, the CTAB is considering adding several additional expectations:
- Encrypt endpoint with TLS – enhance security by requiring current, supported TLS encryption on all entity endpoints.
- Support SIRTFI – adopt the international Security Incident Response Trust Framework.
- Require error URL – require an error URL for all Identity Providers to provide instructions to end-users when things don’t work as expected.
- Release R&S Attributes – require identity providers to release the Research & Scholarship category attributes to make it easier for researchers and scholars to collaborate.
- Support REFEDS MFA Profile – require the use of the international REFEDS multi-factor authentication profile when communicating MFA authentication requests and responses.
This post summarizes the results from the July 2019 survey. We received 87 responses to the survey. The respondents self-identified in the following categories:
- academic institutions 83%
- research organizations 29%
- commercial 12%
- government 3%
(The total is greater than 100 percent because each respondent could choose more than one category.)
Respondents were asked to indicate for each of the five potential new expectations whether it should be “prioritized” for next year (2020), or become baseline in 2021, or “other,” with a comment to elucidate. CTAB members read all of the comments. To provide an accurate representation of responses in the table below we tallied supportive comments and negative comments accompanying a choice of “other” into a linear scale with a possible range of -87 to +87.
These results show generally strong support for including each of the potential new baseline expectations, though with significant differences. Strongest support was for effective encryption of connections (TLS 1.2). Compliance with SIRTFI and including an error URL in metadata also received very strong support. More hesitations or concerns were expressed about the Research & Scholarship attribute bundle and about responding to requested REFEDS MFA authentication context.
A more-detailed summary is the table below. The rightmost column is the proxy measure of the overall level of support for each of the five potential new components that includes evaluation of comments provided by those who chose “other” rather than “Prioritize” or “2021”.
The columns in the above table indicate the following:
- “Prioritize” – This item is a high priority and should be included in the next iteration of Baseline, as soon as 2020.
- “In 2021” – This item is important but requires time to prepare; include in 2021
- “Other: Positive” – The respondent has either already met the requirement or is already working on meeting the requirement
- “Other: Concern ” – The respondent has reservations; they may be concerns over the effort required to implement, confusion about the requirement’s intent, or questions regarding the necessity of the requirement.
- “Net Support” – Calculated net level of support for each element using the following formula: ((Prioritize + In 2021)/2 + Other:Positive – Other:Concern); possible range -87 to +87.
A number of respondents’ comments appear to reflect a more stringent or demanding interpretation of potential expectations than intended. For example, some respondents noted they could not provide multi-factor authentication (MFA) to all their users, but the intent of this expectation is not that MFA must be provided; rather, an Identity Provider should respond appropriately if and when MFA is required by a Service Provider. An identity provider might well provide MFA only for a select group of users, and respond appropriately with a signal of inability to match that context for others.
During September CTAB will use these results and the detailed comments to describe more completely and precisely the potential new baseline expectations, then initiate the community consensus process, which entails full discussion of concerns, options, and scheduled implementation, to determine the scope of new baseline expectations.