Assurance

[Ann West <>]

Hello,

As InCommon and the Assurance Advisory Committee work through the details of 
Assurance in action, the relationship between Bronze and Silver profiles 
needs clarification. It stems from the assumption that logically Bronze is a 
subset of Silver and that this can be transferred to the application process 
and over the wire behavior.

From the point of view of the admins supporting the 819 SPs in the 
federation, it would be less of an overall development burden if they didn't 
need to code for the relationship between the profiles. They ask for and 
receive the profile they require for their service. If they want the Bronze 
qualifier, they should receive Bronze, not Silver. 

But can't I just assert Bronze-ness for Silver users? Because of the 
differences in implementation, InCommon has no way of knowing. The IdPO needs 
to have processes in place to determine whether users that aren't Silver 
qualify for Bronze. In some cases, IdPOs are setting up separate systems for 
Silver. The second-factor credential may qualify for Silver, but the 
plain-old-password infrastructure used to support Bronze may not. 

So InCommon and the AAC propose requiring IdPOs applying for Silver 
certification to also apply for Bronze. There is no impact to the fees to 
support both, and no audit needed if one uses the new Representation of 
Conformance methodology in the new 1.2 version of the Identity Assurance 
Profiles. 

And one final note: who cares about Bronze anyway? From what we hear, our 
FICAM friends would like existing NIH and NSF services operating in InCommon 
to start requesting Bronze. Once they approve 1.2 Profile and Framework docs, 
we'll be working with the Community and FICAM to develop next steps. 

Thoughts about this proposal?

Ann 



-- 
Ann West
Assistant Director,
Assurance and Community
Internet2/InCommon/Michigan Tech 

 
office: +1.906.487.1726