By David St. Pierre Bantz, University of Alaska, InCommon Community Trust & Assurance Board
InCommon’s Baseline Expectations enhance your productivity and effectiveness by increasing trust and interoperability among InCommon federation participants. When you can trust that participants have accurate and complete metadata describing their service or identity provider, that they follow good security practices, and that they have adopted well-defined conventions and common practices, trusted interoperability approaches “hands-off” automated convenience.
The specific expectations detailed in Baseline Expectations arise from concerns and needs among InCommon participants; they become requirements only after an open consultation process yields consensus. The Community Trust and Advisory Board (CTAB) is currently facilitating the second round of Baseline Expectations (BE2), working with operators and institutions to reach the community consensus goals of BE2. Here is a brief update.
The first round of Baseline Expectations required updating or adding current contact information and user-interface elements to metadata. The current, second, round of Baseline Expectations (BE2) focuses on generally accepted security practices, requiring participants
- to formally assert compliance with a defined security incident response framework, https://refeds.org/sirtfi,
- requires Identity Providers include an error URL to which Service Providers can direct users if that user is denied access, and (3) requires all end points (URLs) in metadata to use current secure encryption (TLS).
CTAB determined a relatively simple benchmark for secure unbroken TLS: an SSLLabs test suite result of “A” or better meets the requirement; a lower grade indicates the need to mitigate risk. CTAB has described a variety of methods to mitigate these risks that address some participants’ need to (at least temporarily or in restricted cases) use TLS that does not meet that simple benchmark.
Participants’ progress meeting these expectations is tracked in the Baseline Expectations 2 wiki. From a starting point, when BE2 was announced in February 2021, of approximately 10% of entities meeting BE2, as of mid-August a substantial majority meet BE 2. This is a slightly faster pace than compliance with the first round of Baseline Expectations. Internet2 staff and CTAB are actively working with participants to address any issues and concerns raised by participants, and CTAB hosts a monthly open-office hour to address any questions or concerns.
Participants’ questions and feedback thus far have been requests for clarification and clarification, not objections to BE2 or requests for exemption. Reviewing our progress so far and the queries received, CTAB anticipates substantially full compliance with BE2 by mid-December 2021; CTAB will work individually with any remaining non-compliant entities to reach full compliance in 2022 Q1.
While Baseline Expectations drive a positive feedback loop, increasing the value of InCommon as we add capabilities, new research and education needs and opportunities continuously emerge. If we do not adapt and add needed capabilities to address those needs, some participants may decide they need to operate with alternative “one-off” integrations or in eco-systems not derived from and based on the fundamental needs of research and education.
Those are potential centrifugal forces that could lead to a weaker and/or smaller federation less able to address the evolving needs of research and education. We can discern some “next” needs now that have not yet, but may soon be, components of a BE 3: systematic signaling and use of multi-factor authentication, identity assurance, and entity categories that entail known levels of privacy and release of a defined set of attributes. As the Red Queen admonished Alice: “My dear, here we must run as fast as we can, just to stay in place. And if you wish to go anywhere you must run twice as fast as that.”