You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

InCommon published public review draft versions of its 1.1 Assurance Framework and Profiles documents on March 9.  On this page we describe the major changes in these documents from the 1.0.x versions, and suggest particular sections reviewers should look at.

Overall approach

The work of the Refinement team had these objectives:

  1. Respond to feedback from early-adopter campuses regarding provisions that were unclear or onerous.
  2. Remove elements that were not justified by US government or InCommon community requirements.
  3. Harmonize conflicting and out-of-date terminology.
  4. Continue to meet requirements of US government ICAM program for Assurance Levels 1 and 2 (Bronze and Silver).
  5. Describe requirements in terms of what must be achieved, as opposed to how to achieve it.
  6. Clarify the purpose and audience of each document.
  7. Clearly indicate normative requirements.  Remove or appropriately distinguish examples and advice.

IAAF

  • 2 Identity Management Functional Model
    • This is a new section.  It is intended to clearly define many terms used in Assurance Profiles, in the context of identity management systems typically used by InCommon participants.  This section replaces the Glossary in version 1.0.4.
  • 3 Identity Assurance Profiles (previously Section 2)
    • This section has been simplified to provide general information on the types of issues addressed in IAPs, rather than listing specific issues.
  • 4 Assessment and Audit of Identity Providers (previously Section 3)
    • This section has been modified to clarify the assessment and certification processes, as well as auditors' roles within those processes.

IAP

  • 4.2.1 Business, Policy and Operational Criteria
    • Almost all criteria from this section have been removed.  The removed criteria were called out as burdensome by early adopters, and were no longer required by US government specs.
  • 4.2.2 Registration and Identity Proofing
    • It is no longer required to record identity proofing document numbers, only their type and issuer, and the requirement for 7.5-year retention of identity proofing records has been removed, making it subject to the IdPO's applicable policy and law.  The extended retention of this PII was burdensome, if not illegal in some jurisdictions.
  • 4.2.3 Credential Technology
    • Several criteria were modified to describe what must be achieved, as opposed to how to achieve it.
    • The protection of authentication secrets has been clarified, particularly with respect to the scope of the situations where those secrets must be protected.
  • 4.2.4 Credential Issuance and Management
    • Several criteria were removed.  The removed criteria were not justified by US government or InCommon community requirements.
  • 4.2.5 Authentication Process
    • Several criteria were modified to describe what must be achieved, as opposed to how to achieve it.
  • 4.2.6 Identity Information Management
    • Added criteria for IdMS's that store Subject records that all do not meet the same set of IAP criteria.
  • 4.2.8 Technical Environment
    • Several criteria were modified to describe what must be achieved, as opposed to how to achieve it.
  • No labels