What are the IAP and IAAF documents?
The Identity Assurance Assessment Framework (IAAF) provides the background on the Program and defines the identity assurance trust model, including a functional model for Identity Provider Operators, and a certification model. The Identity Assurance Profiles (IAP) describe sets of Identity Provider Operator requirements (currently Bronze and Silver) for registering individuals, issuing credentials, and managing related identity management information.
Why is InCommon revising its Assurance documents?
There are two reasons.
Simplifying Bronze for Rapid Deployment - US government Identity, Credential and Access Management (ICAM) program that reviews and approves trust frameworks for use with federal services is interested in promoting Bronze certification as a baseline for IdPs to authenticate to US government web sites.This means that Identity Providers federating with NIH or NSF should be making concrete plans to support Bronze in the next 6 to 9 months.
To that end, FICAM asked us to review the Bronze profile and consider where we could reduce our requirements and still adhere to their specification. The changes in v1.2 primarily address this need for rapid ubiquitous deployment, and we are interested in hearing your thoughts about: 1) the specific changes, and 2) whether the new Bronze will enable you to implement this profile more quickly and what that timeframe would be. Most notably, Identity Provider Operators now have an option to sign a Representation of Conformance in lieu of doing a specific Bronze audit.
Clarifying Audit Reporting - InCommon has updated section 4.2 of the IAAF to reflect specific guidance on the type of audit report to submit with your application for Silver certification. This new language clarifies requirements. The revised Introduction includes a process for adopting new versions of the Assurance specification documents.
What is different in the new version?
We have published a review guide that summarizes the differences.
How can I comment?
You can send your comments to the open firstname.lastname@example.org list. Please include a document line number prefacing each comment.
If you are not subscribed to the list, the list policy enables those on the list to receive your comments. If you'd like to subscribe to the list, send email to email@example.com with subscribe assurance in the subject.
Where can I see comments that have already been submitted?
You can read the archives of the Assurance List.
The New Bronze
WIth the new Bronze, can I just add a Bronze audit to the one we're doing for Silver and not sign the representation of conformance?
Absolutely. You have a choice to provide us with either your audit summary for Bronze/Silver, as in the past, or the representation of conformance. Both require you to sign the Assurance Legal Addendum, however.
Are there any Service Providers requiring Bronze?
Not yet. The US government ICAM project and Steven VanRoekel, Federal CIO are both interested in moving current government services operating in the federation to supporting approved profiles such as Bronze. We are working with the agencies and ICAM to determine the timing for this.
The Current Silver
Did you make any changes to Silver?
Yes. There is a minor change with the addition of 18.104.22.168 (S) (B) IDPO Risk Management. See the published review guide for details.
Assurance and the US government
Has the US government ICAM program certified InCommon as a Trust Framework Provider at NIST Level 1 and 2?
Yes. ICAM has approved our 1.0 profiles and reviewed the changes to Bronze v1.2 as part of the simplfying Bronze revisions. Once the 1.2 versions of the IAAF and IAP are out of community review, InCommon will revise and submit these documents for ICAM review.
What happens if ICAM wants InCommon to make changes to the IAAF and IAP? How does that affect my campus if we're certified in the program?
The Assurance specification documentations will change from time to time due to new higher education and service partner requirements. InCommon will work with certified IdP Operators to identify a roadmap and timeframe (at least six months) for compliance to the new version.