Date: Thu, 28 Mar 2024 13:56:24 +0000 (UTC)
Message-ID: <122916771.6481.1711634184198@ip-10-10-7-29.ec2.internal>
Subject: Exported From Confluence
MIME-Version: 1.0
Content-Type: multipart/related;
boundary="----=_Part_6480_1150640197.1711634184197"
------=_Part_6480_1150640197.1711634184197
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Content-Location: file:///C:/exported.html
=
Problem Statement
Some research service providers (SPs) and others face increasing n=
eed to demonstrate that their users have been well identity-proofed and tha=
t their authentication credentials are multifactor and well-bound to the us=
er. These needs are incumbent on the users=E2=80=99 Identity Providers (IdP=
s). This WG will identify and document processes that may be available at l=
east to US academic organizations that can form the basis for asserting cor=
responding levels of assurance of identity proofing and credential binding.=
How well identity-proofed and how well-bound the credentials will =
be is determined by reference to the IAP levels of low, moderate, high, and=
local-enterprise as defined in the REFEDS Assurance Framework=
a> (RAF). RAF itself aligns these values with well-known standards su=
ch as those developed by the Kantara Initiative. IGTF, and eIDAS.
The WG should aim to release an initial form of its guidance on an=
urgent basis to enable at least some academic institutions to address them=
before the NIH will require IAP Moderate, currently expected in June 2021.=
The WG may decide to continue work on a more comprehensive set of recommen=
dations after its initial release.
Stakeholders/Influencers/Influences
- IAM architects at InCommon participants organizations
- Commercial and non-profit IdM providers, including Identity Manag=
ement as a Service (IdMaaS) providers
- InCommon Federation (Internet2) management
- REFEDS Assurance WG
- Federated Identity Management for Research (FIM4R) community
- NIH CIT
- Research Data and Communications Technologies (RDCT), consultancy=
to NIAID that has studied these issues closely
- NERSC, ditto
- Kantara Initiative Assurance Program, which assesses Credential S=
ervice Providers and related component services and is accepted by the US G=
overnment for validating adherence to NIST 800-63-2 and 800-63-3. The WG ma=
y consider asking their opinions of draft guidance.
Charter
The AA WG wi=
ll:
- Solicit input from InCommon Participants and other parties who ha=
ve related experience to try to identify a set of approaches to dig further=
into.
- Determine guidance for use of the I9 process in =
assigning IAP levels for the WG=E2=80=99s initial release. In particular, c=
onsider the role of e-Verify for employers enrolled in it.=
- Assess the potential role of referral processes as compensating c=
ontrols for some identity proofing steps. Egs:
- A Principal Investigator whose identity has been sufficiently pro=
ofed confirms identity evidence submitted by their collaborator.
- An instructor or advisor whose identity has been sufficiently pro=
ofed confirms identity evidence submitted by their student.
- Determine guidance, supplemental to criteria defined in NIST 800-=
63, Kantara, and related standards, on ways that credential issuance, renew=
al, and replacement can be linked to a vetted identity, including
- In person, such as ID Card issuing or HR processes
- In association with commercial services that validate identity ev=
idence, eg, via an API.
- Compensating controls, ie, ways that a credential can be reasonab=
ly inferred to be controlled by the proofed identity it was assigned to. Ex=
ample: if a credential is required to route employee paychecks to their ban=
k, can it be inferred to be well-bound to that employee even if the credent=
ial issuance process does not itself accomplish the linkage?
- Proceed as quickly as possible. Consider meeting weekly rather th=
an the typical biweekly cadence. Consider assigning some tasks to subgroups=
to work in parallel, bringing final drafts to the full WG for review.
- Share information and coordinate with the REFEDS Assurance WG.
- Recommend other working groups that may be needed, eg, to address=
similar needs in other countries.
Out of Scope:=
- Develop guidance for how to use the REFEDS MFA Profile in certain=
circumstances, for example, when the SP desires but need not require MFA, =
or when an IdP=E2=80=99s MFA system is temporarily unavailable. The REFEDS =
Assurance WG is taking this up - interested parties should participate ther=
e.
- Align NIST SP800-63A with RAF IAPs. The REFEDS Assurance WG is ta=
king this up. However, the AA WG may decide to reference 800-63A or 800-63B=
in its guidelines.
- Outreach activities to deliver the WG=E2=80=99s guidance to InCom=
mon Participants and related support activities. These will be undertaken b=
y InCommon.
Membership
Membership in the Assured Access Working Group is open to all inte=
rested parties. Solicitation will take place on lists such as the InCommon =
Participants list and the REFEDS list, explicitly seeking international par=
ticipation. Some stakeholders may be explicitly solicited by the Co-Chairs =
or other Working Group members for participation, e.g., providers who do no=
t ordinarily participate on the above lists. Members join the Working Group=
by subscribing to the mailing list and Slack channel, participating on the=
calls, and otherwise actively engaging in the work of the group.
Work Product=
s
- An initial form of guidance, to be issued as soon as possible. Pe=
rhaps focused on the I9 process.
- Additional guidance to institutions on processes available for in=
dicating assurance.
Ap=
pendices and Resources
See Also
* Original draft charter i=
n Google Doc
------=_Part_6480_1150640197.1711634184197--