...
Assurance Advisory Committee Update
SteveD reported that the POP has been a major focus area for the AAC has been about the POP.
Issues include:
-some IdP's never published an initial POP
-other IdP's have an outdated POP
The AAC has heard from InCommon Service Providers that the current system makes it difficult to evaluate risk of working with an IDP. The AAC has looked at whether it might be reasonable to require IdP's to assert a bronze level of assurance.
-Dedre: it makes sense to require that campuses maintain an up-to-date POP.
-Michael: Perhaps the POP should have a life span, with a requirement the IdPs do an update at a certain interval.
-Ann: Every six months, InCommon does remind reminds IdPs without a POP that they need to provide one.
It was noted that even if every IdP had a current POP available, this would not address all the concerns that are being raised by the Service Providers. Enforcement of the current POP requirement may be a logical first step, but the problem would still exist that SP 's with with high trust requirements would still need a lot of staff to check every POP. Ann suggested a scenario (being brainstormed), where IdP's are required to use an online checklist or series of checklists to describe their practices. There could be bundles of questions around categories such as credentialing, identity management, interoperability, etc. AuthNContext might be expressed in some of the bundles. Numeric values could be assigned to an IdP based on their self-assertions on these checklists. The numerical score could be asserted as an attribute, to allow an SP to decide whether to federate with a given IDP. This would be an informal program, separate from Assurance, but it might somehow feed into Assurance.
Dedra commented that the simplicity of this checklist approach is appealing and could provide important benefits, and it would be especially helpful if there was also more detailed documentation available describing each IdP's practices. One approach might be to have a field where the IDP provides the URL where one finds more detailed documentation
Q: Would this checklist approach be flexible enough to reflect how a campus uses an alternative practice (such as using MFA instead of password reset)?
A: There could be registered, community-defined standards (apart from the FICAM standards) expressed via AuthNContext.
Comments
-It's important to use password protected transport, and to avoid bilateral handshakes.
-We should look at solutions that feed into the assurance program. Do not want people to be asking "why am I doing this if I must also be doing that?"
Counting Failed Login Attempts
...
Ann Is putting together a plan for a bronze implementation cohort group. This will involve walking through the bronze spec. The group will most likely talk about entropy issues, controlling access to your password store, interpreting the spec, old clients, and other issues.