...
SteveD: The AAC's work on this is at the beginning
The AAC has has not taken our assurance profiles and deomposed them into trust marks yet.
The GA Tech people have looked at breaking have broken 800-63 into trustmarks.
See:
https://trustmark.gtri.gatech.edu/concept/#framework-example-ficam
Eric: the trustmarks will decompose the IAP and the POP? so those would merge?
SteveD: I think so
Eric Goodman is a good working group member!
Any interest in asserting MFA in a profile?
Eric G: yes from other campuses
Do you have a definition for what that would mean?
See pages 44-45 here: https://trustmark.gtri.gatech.edu/wp-content/uploads/2014/01/Trustmark-Pilot-Concept-Slides-for-IDESG-Briefing-2014-01-16.pdf
MFA Profile
For the MFA profile work, there are important decisions on how granular to be.
We are running into what TomScavo ran into. There are apps that want MFA and some . Some campuses have MFA tokens and some don't
we We need to figure out under what circumstances would the SP application trust that MFA had been done by the campus. Versus the app invoking its own MFA. Don't want campus MFA plus application MFA
That's the danger you have if the SP requires MFA before the IDP supports it
David: from the Multi Context Broker point of view..
What is MFA? Define it as lights as possible, just some other factor is used.
Paul Caskey said DUO lets your remeber for 30 days you had done your MFA
I want to be able to disallow that
So he needs 2 different MFA profiles
TWOFER honors the forced reauthentication. DUO will not? You must define 2 different sub modules
Session length of 30 days?
Eric: to take it to the trustmarks, what the trustmark would be asserting is something about your MFA practice.
David: yes it would say you do MFA. the other says you are doing MFA and forcing reauthentication in the current time.
Eric: But that is interactive....It was noted that with a light definition of MFA trustmark (MFA? Y or N) there are issues that arise such as an SP that remembers you for 30 days (no forced reauthentication). There would be a need to disallow that kind of practice.
David: You define what you mean by MFA and there is some certification process that says an IDP has that trustmark. Then assertions it sends out would be honored. There is the IAP and IAQ on the trustmark
...