...
- Section 3: Silver and Bronze Profiles
Clarified use of IAQs. - Section 4: Criteria
Modified and added criteria to reduce the burden of implementing Bronze. - 4.2.1.4 (S) (B) IDPO Risk Management
Added periodic review of IdPO's IT operations to align with risk management objectives. For the Bronze profile, this requirement replaces the need for a formal IdMS audit, which had been a major barrier. This provision is not expected to be a burden for Silver certification. - 4.2.3.2 (B) Basic Resistance to Guessing Authentication Secret
Clarified language. - 4.2.3.4 (S) Stored Authentication Secrets
Removed cross reference. - 4.2.3.5 (New - Bronze Only) Protection of Authentication Secrets
Added to reduce the burden of implementing password-protection requirements for Bronze-only applicants. - 4.2.3.6 (S) Strong Project Protection of Authenticaton Secrets
Updated title to distinguish Silver from Bronze requirements. - 4.2.5.6 Mitigate Risk of Credential Compromise
Removed the specific guidance on how to mitigate risk to align with the document approach taken in the 1.1 version. - 4.2.7.2 (S) (B) Identity Assertion Qualifier (IAQ)
Added clarifying sentence that InCommon certifies IdPs as eligble to assert one more more qualifiers. And the IdPO must be capable of including the InCommon IAQ when the criteria are met for a subject. - Section 5 Determination of Conformance
This new section distinguishes how conformance with the Bronze and Silver profiles is requested by the IdPOs and how the new Representation of Conformance document supports Bronze as an option in lieu of the current audit.
...