...
- The AAC is working to revise its charter to do more than manage the assurance process for certification. This does not expand a lot the AACs charge. But it is broader than managing a process.
- The AAC is looking at what needs to be modified to increase trust within the federation. The goal is to get people on the road to higher trust and higher assurance.
- We have received feedback (from our SP partners) on the lack of usefulness of the POP and the lack of compliance. Some InCommon participants are not updating their POPs.
- We have talked about decomposing the assurance profiles into trust marks to drive incremental progress within the federation.
- There is work at GA Tech on Trust Marks https://trustmark.gtri.gatech.edu/the-pilot/
Q&A
EricG asks, there is Vectors of Trust group.
https://www.ietf.org/mail-archive/web/ietf-announce/current/msg13215.html
The The UC system is are is taking a similar approach in standards, for incremental progress short of silver.Is Is there a sense of what the scope of the trustmarks (being discussed by the AAC_ ) might be? Wants to do things that would map to trustmarks. Are there specific targets that would be useful for us to use?
SteveD: The AAC's work on this is at the beginning. The AAC has not yet taken our InCommon assurance profiles and deomposed decomposed them into trust marks yet.
The GA Tech GTRI group has looked at breaking 800-63 into trustmarks.
...
For a community MFA profile, there are decisions on how granular to be. There are apps that want MFA. Some campuses have MFA and some don't. Under what circumstances would the SP application trust that MFA had been done by the campus, versus the app requiring its own MFA. Don? We don't want want to have campus MFA plus ALSO application MFA.
It was noted that with a light/simple definition of MFA trustmark (MFA? Y or N), there are concerns. Example: an SP that remembers you the user for 30 days (, with no forced reauthentication)re-authentication. There would be a need to disallow that kind of practice.
...