You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

InCommon published public review draft versions of its 1.1 Assurance Framework and Profiles documents on March 9.  On this page we describe the major changes in these documents from the 1.0.x versions, and suggest particular sections reviewers should look at.

Overall approach

The work of the Refinement team had these objectives:

  1. Respond to feedback from early-adopter campuses regarding provisions that were unclear or onerous.
  2. Remove elements that were not justified by US government or InCommon community requirements.
  3. Harmonize conflicting and out-of-date terminology.
  4. Continue to meet requirements of US government ICAM program for Assurance Levels 1 and 2 (Bronze and Silver).
  5. Describe requirements in terms of what must be achieved, as opposed to how to achieve it.
  6. Clarify the purpose and audience of each document.
  7. Clearly indicate normative requirements.  Remove or appropriately distinguish examples and advice.

IAAF

  • 2 Identity Management Functional Model
    • This is a new section.  It is intended to clearly define many terms used in Assurance Profiles, in the context of identity management systems typically used by InCommon participants.  This section replaces the Glossary in version 1.0.x.
  • 3 Identity Assurance Profiles (previously Section 2)
    • This section has been simplified to provide general information on the types of issues addressed in IAPs, rather than listing specific issues.
  • 4 Assessment and Audit of Identity Providers (previously Section 3)
    • This section has been modified to clarify the assessment and certification processes, as well as auditors' roles within those processes.

IAP

  • 4.2.1 Business, Policy and Operational Criteria
    • Almost all criteria from this section have been removed, leaving only a requirement to be an InCommon Participant in good standing.  The removed criteria were called out as burdensome by early adopters, and were no longer required by US government specs.
  • 4.2.2 Registration and Identity Proofing
    • It is no longer required to record identity proofing document numbers, only their type and issuer, and the requirement for 7.5-year retention of identity proofing records has been removed, making it subject to the IdPO's applicable policy and law.  The extended retention of this PII was burdensome, if not illegal in some jurisdictions.
  • 4.2.3 Credential Technology
    • The criteria for "Subject modifiable shared secret" have been removed.  They were no longer required by US government specs.
    • The protection of authentication secrets has been clarified, particularly with respect to the scope of the situations where those secrets must be protected.
  • 4.2.4 Credential Issuance and Management
    • The following criteria removed.  They were either duplicative of other criteria or were not justified by US government or InCommon community requirements.
      • Unique Subject identifier
      • Credential status
      • Credential status verification
      • Suspected credential compromise
    • Criteria for record retention of credential issuance were added.
  • 4.2.5 Authentication Process
    • This section was rewritten to describe what must be achieved, as opposed to how to achieve it.
  • 4.2.6 Identity Information Management
    • Added criteria for IdMS's that store Subject records that all do not meet the same set of IAP criteria.
  • 4.2.8 Technical Environment
    • All criteria were modified to describe what must be achieved, as opposed to how to achieve it.
  • No labels