...
Ann reported that the Business School of a large research institution recently approached InCommon with a new use case. At this institution, Central IT has stated that the Business School needs to be Bronze certified. The Business School has an IDP, but does not need to be in InCommon metadata, it needs to conform to the bronze profile to achieve security goals. So at this institution, Central IT is outsourcing the security/ credential requirement to InCommon.
Ann has encouraged the Business School to talk with Central IT about having the institution (not the Business School) sign the assurance addendum with same signature authority as signed the InCommon POP. Further, if they want InCommon to manage the assurance re-certification every 3 years, they would need to put the Business School IDP in the InCommon metadata. This would mean the institution would need to pay for a second IDP , for the Business School.
David suggested that it would make sense for the institution to get the bronze certification instead of just the Business School. The IDPO is the institution. The institution will need to to explain to users which IDP to use for which situations.
Ann asked if InCommon Assurance should consider a reduced free fee for cases where there is no IDP, forcases where an institution wants a stamp of approval. David suggested that this makes sense, it would be like an audit report saying "yes we agree with management's assertion that they meet the requirements for the assurance program." It was noted that without a SAML IDP IdP it is not possible to be bronze certified under 4.2.7.
...
Jeff Capehart stated that at University of Florida, the password policy has been revised adding some new options around associated with use of longer passwords. The new policy still complies with the entropy requirements.
Lee stated that UNMC is examining the different levels of assurance currently in use.
...