assurance - RE: [Assurance] If apply for Silver, then apply for Bronze?
Subject: Assurance
List archive
- From: "Roy, Nicholas S" <>
- To: "" <>
- Subject: RE: [Assurance] If apply for Silver, then apply for Bronze?
- Date: Wed, 20 Jun 2012 18:02:17 +0000
- Accept-language: en-US
"...InCommon and the AAC propose requiring IdPOs applying for Silver
certification to also apply for Bronze. There is no impact to the fees to
support both, and no audit needed if one uses the new Representation of
Conformance methodology in the new 1.2 version of the Identity Assurance
Profiles."
This seems reasonable and logical to me. A school applying for Silver should
be able to differentiate Silver from Bronze in their technical
implementation. If a school just applies for Bronze up-front, then later
does a Silver audit and applies for Silver separately, does that school need
to include all the Bronze stuff in the audit and re-apply for Bronze?
On the other hand, doesn't the IAQ requirement in 4.2.6.1 already mandate a
differentiation, and under 4.2.7.2 states that an institution not approved
for a specific IAQ must not include an IAQ that the institution hasn't been
certified for and must not include an IAQ that doesn't meet the requirements
of that IAP? Maybe some clarification around Silver not being an adequate
replacement for Bronze or "these are not downwards compatible" would be
enough?
While an IdP should be capable of differentiating IAQ requirements and
handling them appropriately, If an RP can accept Bronze and requires Bronze,
it should be able to deal with Silver, too, if Silver is good enough for its
needs (and it arguably is). It feels a little bit like all of the burden for
assurance (especially things like privacy that should have requirements for
both IdPs and RPs) are being put on the IdP side of the operation. I think
the RPs requiring assurance have some responsibility here too, including
technical responsibility to be able to flexibly support the way the IAPs work
in InCommon. It seems like if the InCommon assurance framework fits within
the ICAM SAML 2 profile, federal RPs requiring assurance from InCommon IdPs
should be able to fully support that profile. If different IAQs are part of
the big picture, RPs should be able to handle Silver in lieu of Bronze.
Nick
Thanks,
Nick
-----Original Message-----
From:
[mailto:]
On Behalf Of Ann West
Sent: Wednesday, June 20, 2012 11:52 AM
To:
Subject: [Assurance] If apply for Silver, then apply for Bronze?
Hello,
As InCommon and the Assurance Advisory Committee work through the details of
Assurance in action, the relationship between Bronze and Silver profiles
needs clarification. It stems from the assumption that logically Bronze is a
subset of Silver and that this can be transferred to the application process
and over the wire behavior.
From the point of view of the admins supporting the 819 SPs in the
federation, it would be less of an overall development burden if they didn't
need to code for the relationship between the profiles. They ask for and
receive the profile they require for their service. If they want the Bronze
qualifier, they should receive Bronze, not Silver.
But can't I just assert Bronze-ness for Silver users? Because of the
differences in implementation, InCommon has no way of knowing. The IdPO needs
to have processes in place to determine whether users that aren't Silver
qualify for Bronze. In some cases, IdPOs are setting up separate systems for
Silver. The second-factor credential may qualify for Silver, but the
plain-old-password infrastructure used to support Bronze may not.
So InCommon and the AAC propose requiring IdPOs applying for Silver
certification to also apply for Bronze. There is no impact to the fees to
support both, and no audit needed if one uses the new Representation of
Conformance methodology in the new 1.2 version of the Identity Assurance
Profiles.
And one final note: who cares about Bronze anyway? From what we hear, our
FICAM friends would like existing NIH and NSF services operating in InCommon
to start requesting Bronze. Once they approve 1.2 Profile and Framework docs,
we'll be working with the Community and FICAM to develop next steps.
Thoughts about this proposal?
Ann
--
Ann West
Assistant Director,
Assurance and Community
Internet2/InCommon/Michigan Tech
office: +1.906.487.1726
- [Assurance] If apply for Silver, then apply for Bronze?, Ann West, 06/20/2012
- Re: [Assurance] If apply for Silver, then apply for Bronze?, Cantor, Scott, 06/20/2012
- Re: [Assurance] If apply for Silver, then apply for Bronze?, Ann West, 06/20/2012
- RE: [Assurance] If apply for Silver, then apply for Bronze?, Roy, Nicholas S, 06/20/2012
- Re: [Assurance] If apply for Silver, then apply for Bronze?, Ann West, 06/27/2012
- Re: [Assurance] If apply for Silver, then apply for Bronze?, Cantor, Scott, 06/20/2012
Archive powered by MHonArc 2.6.16.