Assurance

["Roy, Nicholas S" <>]

"...InCommon and the AAC propose requiring IdPOs applying for Silver 
certification to also apply for Bronze. There is no impact to the fees to 
support both, and no audit needed if one uses the new Representation of 
Conformance methodology in the new 1.2 version of the Identity Assurance 
Profiles."

This seems reasonable and logical to me.  A school applying for Silver should 
be able to differentiate Silver from Bronze in their technical 
implementation.  If a school just applies for Bronze up-front, then later 
does a Silver audit and applies for Silver separately, does that school need 
to include all the Bronze stuff in the audit and re-apply for Bronze?

On the other hand, doesn't the IAQ requirement in 4.2.6.1 already mandate a 
differentiation, and under 4.2.7.2 states that an institution not approved 
for a specific IAQ must not include an IAQ that the institution hasn't been 
certified for and must not include an IAQ that doesn't meet the requirements 
of that IAP?  Maybe some clarification around Silver not being an adequate 
replacement for Bronze or "these are not downwards compatible" would be 
enough?

While an IdP should be capable of differentiating IAQ requirements and 
handling them appropriately, If an RP can accept Bronze and requires Bronze, 
it should be able to deal with Silver, too, if Silver is good enough for its 
needs (and it arguably is).  It feels a little bit like all of the burden for 
assurance (especially things like privacy that should have requirements for 
both IdPs and RPs) are being put on the IdP side of the operation.  I think 
the RPs requiring assurance have some responsibility here too, including 
technical responsibility to be able to flexibly support the way the IAPs work 
in InCommon.  It seems like if the InCommon assurance framework fits within 
the ICAM SAML 2 profile, federal RPs requiring assurance from InCommon IdPs 
should be able to fully support that profile.  If different IAQs are part of 
the big picture, RPs should be able to handle Silver in lieu of Bronze.

Nick

Thanks,

Nick

-----Original Message-----
From: 

 
[mailto:]
 On Behalf Of Ann West
Sent: Wednesday, June 20, 2012 11:52 AM
To: 

Subject: [Assurance] If apply for Silver, then apply for Bronze?

Hello,

As InCommon and the Assurance Advisory Committee work through the details of 
Assurance in action, the relationship between Bronze and Silver profiles 
needs clarification. It stems from the assumption that logically Bronze is a 
subset of Silver and that this can be transferred to the application process 
and over the wire behavior.

From the point of view of the admins supporting the 819 SPs in the 
federation, it would be less of an overall development burden if they didn't 
need to code for the relationship between the profiles. They ask for and 
receive the profile they require for their service. If they want the Bronze 
qualifier, they should receive Bronze, not Silver. 

But can't I just assert Bronze-ness for Silver users? Because of the 
differences in implementation, InCommon has no way of knowing. The IdPO needs 
to have processes in place to determine whether users that aren't Silver 
qualify for Bronze. In some cases, IdPOs are setting up separate systems for 
Silver. The second-factor credential may qualify for Silver, but the 
plain-old-password infrastructure used to support Bronze may not. 

So InCommon and the AAC propose requiring IdPOs applying for Silver 
certification to also apply for Bronze. There is no impact to the fees to 
support both, and no audit needed if one uses the new Representation of 
Conformance methodology in the new 1.2 version of the Identity Assurance 
Profiles. 

And one final note: who cares about Bronze anyway? From what we hear, our 
FICAM friends would like existing NIH and NSF services operating in InCommon 
to start requesting Bronze. Once they approve 1.2 Profile and Framework docs, 
we'll be working with the Community and FICAM to develop next steps. 

Thoughts about this proposal?

Ann 



-- 
Ann West
Assistant Director,
Assurance and Community
Internet2/InCommon/Michigan Tech 

 
office: +1.906.487.1726