Baseline Expectations for Trust in Federation

February 2018



Document Repository Info 
Repository ID: TI.34.2
DOI: 10.26869/TI.34.2
Persistent URL: http://doi.org/10.26869/TI.34.2
Authors: Tom Barton and members of the InCommon AAC
Sponsor: InCommon Assurance Advisory Committee (AAC)
Superseded documents: TI.34.1
Proposed future review date: December 2018
Subject tags: InCommon, federation, assurance, trust, framework



© 2018 Internet2. This work is licensed under a Creative Commons Attribution 4.0 International License.

Table of Contents
Introduction	3
Baseline Expectations	4
Baseline Expectations of Identity Providers	4
Baseline Expectations of Service Providers?	4
Baseline Expectations of Federation Operators	4
Community Consensus Process	6



Introduction
As the strategic value of Research and Education Trust Federations ever increases, from time to time it is important to reflect on, then assess and distill what forms the basis for sufficient trust by all participants. On that foundation we can understand gaps and agree to changes that may need to be implemented by various Federation actors in order to sustain that trust. 
What trust do we need to have in Federation? When we rely on Federation, we are partnering with other organizations to do something for us that we would otherwise do for ourselves or forgo altogether. And mostly the latter: Federation makes possible the integration of resources, services, and users across the globe into the myriad ways that the R&E mission is undertaken. 
Below are three short lists of expectations expressed at a high level, one for each of three types of Federation actor: an Identity Provider, a Service Provider, and a Federation Operator. Different specific situations may have higher or lower risk and hence greater or lesser expectations, but the following are expectations that should be true of all, or almost all, transactions with Federation partners. They express the baseline for trust in federation. 
This formulation of the baseline expectations is the result of a year-long iterative process of assessment and feedback, shepherded by InCommonÕs Assurance Advisory Committee. (Note that in 2018, the InCommon Assurance Advisory Committee became the Community Trust and Assurance Board -CTAB). Early steps produced a strawman that formed the basis for gap analysis with the views of subsequent audiences whose feedback was rolled into further updates to the strawman. The culminating step in the process took the form of an open Òconsultation,Ó in which federation-involved people around the world were invited to give their feedback to the last strawman. That step produced some refinement to language but no substantive change to the baseline. So there is reason for confidence that this formulation is a reasonable expression of where the community believes that baseline to lie, at this time.
In these statements the terms ÒIdentity Provider,Ó ÒIdP,Ó ÒService Provider,Ó and ÒSPÓ refer to the operational entities that act in the federation and not to the organizations that operate them.
Baseline Expectations
Baseline Expectations of Identity Providers
1. The IdP is operated with organizational-level authority?
2. The IdP is trusted enough to be used to access the organizationÕs own systems?
3. Generally-accepted security practices are applied to the IdP?
4. Federation metadata is accurate, complete, and includes site technical, admin, and security contacts, MDUI information, and privacy policy URL
Baseline Expectations of Service Providers?
1. Controls are in place to reasonably secure information and maintain user privacy?
2. Information received from IdPs is not shared with third parties without permission and is stored only when necessary for SPÕs purpose?
3. Generally-accepted security practices are applied to the SP ?
4. Federation metadata is accurate, complete, and includes site technical, admin, and security contacts, MDUI information, and privacy policy URL
5. Unless governed by an applicable contract, attributes required to obtain service are appropriate and made known publicly ?
Baseline Expectations of Federation Operators
1. Focus on trustworthiness of their Federation as a primary objective and be transparent about such efforts?
2. Generally-accepted security practices are applied to the FederationÕs operational systems?
3. Good practices are followed to ensure accuracy and authenticity of metadata to enable secure and trustworthy federated transactions?
4. Frameworks that improve trustworthy use of Federation, such as entity categories, are implemented and adoption by Members is promoted?
5. Work with relevant Federation Operators to promote realization of baseline expectations?

It is equally important to consider how these baseline expectations are to be operationalized: why, and how, should anyone believe that these expectations are met in almost all federated transactions? Is it important to know, fairly promptly, when any of those expectations no longer hold, or is it enough to know that the process by which partners become active in Federation ensures that those expectations are valid? What keeps them on track? This is addressed in companion documents to be referenced here upon their acceptance by the InCommon Federation.
See the Community Dispute Resolution Process for information about that process.
The process below defines how the Participant community can establish their consensus on how Baseline Expectations should be observed in specific operational circumstances, e.g., whether security practice XYZ meets the expectation that ÒGenerally-accepted security practices are appliedÓ to an IdP or SP. 

Community Consensus Process
Community Consensus Process for Interpreting Baseline Expectations and Acceptable Operations
Baseline Expectations contain requirements that are expressed at a high level and may need interpretation to determine how they apply to specific operational circumstances. This section describes how the community develops guidance for how to interpret these statements. Ê
1. A question about how Baseline Expectations applies to a given operational circumstance is raised in a manner to be defined by the Community Trust and Assurance Board (CTAB).
2. CTAB members facilitate discussion as needed to reflect points of agreement and disagreement. They may also?
a. Invite other parties to the discussion (such as Executive Contacts, CIOs, or other subject matter experts that may help the discussion to reach consensus), and ?
b. Generally try to move the discussion towards consensus.?
3. As a result of the discussion, the CTAB may: ?
a. Provide provisional interpretative guidance for the community on a related web page and conduct a Consultation Process to finalize the provisional guidance. The result is published in the Trust and Identity Newsletter.?
b. Identify suggestions that would materially change Baseline Expectations and add them to a public Baseline Expectations changelog to be considered in the next Baseline Expectations revision process.?
c. Determine that a matter is better approached as a potential assurance profile or by other means and add it to a public list of prospective work items for InCommon and its community. 


Table of Contents








2

Baseline Expectations for Trust in Federation









Community Consensus Process