Versions Compared

Old Version 1

changes.mady.by.user Albert Wu (internet2.edu)

Saved on

compared with

New Version Current

changes.mady.by.user Albert Wu (internet2.edu)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

How well identity-proofed and how well-bound the credentials will be is determined by reference to the IAP levels of low, moderate, high, and high local-enterprise as defined in the REFEDS Assurance Framework (RAF). RAF itself aligns these values with well-known standards such as those developed by the Kantara Initiative. IGTF, and eIDAS.

...

  • IAM architects at InCommon participants organizations
  • Commercial and non-profit IdM providers, including Identity Management as a Service (IdMaaS) providers
  • InCommon Federation (Internet2) management
  • REFEDS Assurance WG
  • Federated Identity Management for Research (FIM4R) community
  • NIH CIT 
  • Research Data and Communications Technologies (RDCT), consultancy to NIAID that has studied these issues closely
  • NERSC, ditto
  • Kantara Initiative Assurance Program, which assesses Credential Service Providers and related component services and is accepted by the US Government for validating adherence to NIST 800-63-2 and 800-63-3. The WG may consider asking their opinions of draft guidance.

Charter

The AA WG will:

  1. Solicit input from InCommon Participants and other parties who have related experience to try to identify a set of approaches to dig further into. 
  2. Determine guidance for use of the I9 process in assigning IAP levels for its the WG’s initial release. In particular, consider the role of e-Verify for employers enrolled in it.
  3. Assess the potential role of referral processes as compensating controls for some identity proofing steps. Egs:
    1. A PI Principal Investigator whose identity has been sufficiently proofed confirms the identity evidence submitted by their collaborator. 
    2. An instructor or advisor whose identity has been sufficiently proofed confirms the identity evidence submitted by their student.
  4. Determine guidance, supplemental to criteria defined in NIST 800-63, Kantara, and related standards, on ways that credential issuance, renewal, and replacement can be linked to a vetted identity, including 
    1. In person proofing, such as ID Card issuing or HR processes
    2. Commercial In association with commercial services that validate identity evidence, eg, via an API.
    3. Compensating controls, ie, ways that a credential can be reasonably inferred to be controlled by the proofed identity it was assigned to. Example: if a credential is required to route employee paychecks to their bank, can it be inferred to be well-bound to that employee even if the credential issuance process does not itself accomplish the linkage?
  5. Proceed as quickly as possible. Consider meeting weekly rather than the typical biweekly cadence. Consider assigning some tasks to subgroups to work in parallel, bringing final drafts to the full WG for review.
  6. Share information and coordinate with the REFEDS Assurance WG.
  7. Recommend other working groups that may be needed, eg, to address similar needs in other countries.

Out of Scope:

  1. Develop guidance for how to use the REFEDS MFA Profile in certain circumstances, for example, when the SP desires but need not require MFA, or when an IdP’s MFA system is temporarily unavailable. The REFEDS Assurance WG is taking this up - interested parties should participate there.
  2. Align NIST SP800-63A with RAF IAPs. The REFEDS Assurance WG is taking this up. However, the AA WG may decide to reference 800-63A or 800-63B in its guidelines.
  3. Outreach activities to deliver the WG’s guidance to InCommon Participants and related support activities. These will be undertaken by InCommon. 

Membership

Membership in the Assured Access Working Group is open to all interested parties. Solicitation will take place on lists such as the InCommon Participants list and the REFEDS list, explicitly seeking international participation. Some stakeholders may be explicitly solicited by the Co-Chairs or other Working Group members for participation, e.g., providers who do not ordinarily participate on the above lists. Members join the Working Group by subscribing to the mailing list and Slack channel, participating on the calls, and otherwise actively engaging in the work of the group.

...

  1. An initial form of guidance, to be issued as soon as possible. Perhaps focused on the I9 process.
  2. Additional guidance to institutions on processes available for indicating assurance.

...

Appendices and Resources

See Also

* Original draft charter in Google Doc

...