You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

What is Bronze?

Identity Assurance is a collection of identity and authentication-related technologies, polices and practices that we implement to achieve a certain security objective, thus protecting a service or resource. The primary difference with what you do now and the InCommon Profiles is that someone has done the thinking for you, at least in the user credential space: if you have a specific risk profile that you would like to address, use this published identity assurance profile.

The inCommon Bronze Identity Assurance Profile supports sequential identity, which means that over time the same person is returning with the same credential. It's most useful for things like group membership, where identity is not as important as being a part or having an entitlement. The classic library use case of  verified user of a campus license agreement applies here. 

Why Bronze Certification?

Bronze provides a generally-accepted practice for passwords and credentials. The benefit for getting certified under the Bronze practice statement is:

  • provides visible proof of your good practice through publication in the InCommon metadata, on the InCommon website, and on the FICAM website. 
  • provides a community and federally approved practice statement. What others do you have that are as comprehensive?
  • gives you a good baseline of credential practices to address your security needs. Using the profiles can help you shine a light on things you should be protecting better. 
  • easy(ier) to implement. No audit required. Provides a stepping stone to Silver. And it's free to get certified. 
  • normalizes practices across the Federation as implementation spreads. 

Over time, Bronze may replace the Participant Operating Practices as the baseline requirement for participating in the Federation. 

Why InCommon's Program/Profile?

Too Techie -

InCommon's Profiles and Trust Framework are Higher Ed's version of LoA 1 and 2 from NIST 800-63. InCommon is the only federation serving Education that provides not only the standards and related trust certification program, but also the infrastructure that helps make it all go. And it's all approved for interchange with the Federal Government. 

Background

The National Institutes of Standards and Technologies, the XXXX for the Federal Government, developed NIST 800-63 Electronic Authentication Guidelines in XXX. This outlined four levels of assurance that identity providers in the federal government must use. The Federal CIOs then stablished the Federal Identity, Credential and Access Management subcommittee to develop programs to enable third-party credentials (like those from InCommon Participants) to be used with agency apps. 

In response to the FICAM program, InCommon assembled a team of leading identity architects from the HE community to develop the profiles for HE adopters. Understanding that campuses are not federal agencies and have different ways of doing things, the writers of the profiles baked in diversity of deployment (alternative means), adoptability (removal of audit for Bronze, acceptance of common risk practice), and flexibility (intent of requirement not specific technology). As a result, the profiles are written by Higher Ed for Higher Ed, but are comparable to the corresponding Levels of Assurance in 800-63. 

Moving Forward with Certification

  • No labels