assurance - RE: [Assurance] NIST vs. TFS vs. Silver
Subject: Assurance
List archive
- From: Eric Goodman <>
- To: "" <>
- Subject: RE: [Assurance] NIST vs. TFS vs. Silver
- Date: Fri, 14 Mar 2014 16:01:04 +0000
- Accept-language: en-US
Thanks to both of you for the clarity. Mark, FWIW, the TFP LoA 2 requirements have some large (though mostly optional) additions, which is what raised the question in the first place. I'm clear that for actual compliance I only need worry about InCommon (since that's the only compliance I'm seeking), I was more wondering how much the items that have been added to the TFP above and beyond what's
in NIST 800-63 is likely to impact us (both my organization and the community) in the long term. I'm looking at InCommon IAPs, NIST and other sources for some formalized best or accepted practices for various operations (that don't require full-on LoA support),
and I'm wondering how much it makes sense to (and how quickly I should be looking to) leverage information from each source. For example, we know that password brute force protection rules changed somewhat substantially in the last rev NIST 800-63-2, so I'm wondering how aggressively to try to focus on that vs. the older language (as
expressed in Silver/Bronze). Similarly, the new FICAM TFP adds (again, mostly optional) expectations about device fingerprinting and login behavior tracking to LoA 2.
I know neither of those changes applies to us under the current InCommon IAPs, but I'm asking more to help me read the tea leaves as to how long such changes are likely to take to flow from the TFP and NIST to
InCommon. Again, thanks for the clarification. --- Eric From: [mailto:]
On Behalf Of Ann West Hi Eric, NIST wrote 800-63 for US Government Agency to Agency service use. It is not a Trust Framework Program (TFP), because it doesn't deal with the legal, organizational,
technical _expression_ and assessment requirements, to name a few. FICAM was established to (roughly) expand on 800-63 and create a certification program for non-government IdPs to interact with Agency Relying Parties (RPs) To
do this, FICAM had to figure out how to include the additional trust components for each of these non-gov IdP in sectors like banking, education and health care. FICAM was aware that these other communities have different but comparable ways of operating that
are not included in 800-63, and in the interest of growing the program, they decided to be somewhat flexible to accommodate those. To scale the certification of IdPs then, FICAM decided to focus on certifying TFPs like InCommon, which in turn would certify IdPs (or Credential Service Providers
[CSPs] in FICAM-speak). Fast forward to today, some of the Trust Framework Providers' specs are short and very close to the original FICAM spec and some are long and very prescriptive. InCommon's focuses on intent, leaving the "how" up to the campus. The authors
of InCommon's spec wanted to accommodate the US Government requirements while maintaining campus flexibility as much as possible. You know this as Alternative Means which none of the other Trust Frameworks have. We also negotiated no-audit LoA1, which is now
standard in FICAM 2.0. We also don't include all the MFA methodologies in our specs that are in 800–63 to reduce technology-chasing revisions. We instead rely on the community submitting Alternative Means which become normative such as the MFA example on the
assurance.incommon.org site. It's great that you reviewed the new FICAM docs, but put them in perspective: They provide background on where they are taking their program. But no worries, InCommon
(the Assurance Advisory Committee and staff) are currently in negotiations with FICAM to determine how their 2.0 version will affect our spec. We think it will be minimal (not substantive really), but time will tell. For instance, their 2.0 assumes IdPs are
not members of an operating federation. (Kantara, for instance, is a FICAM-certified Trust Framework Provider but does not operate a federation.) This assumption has driven FICAM to develop an Authority to Offer Services (ATOS) document that IdPs must follow
when preparing to federate over-the-wire with an Agency RP. InCommon is making the case that IdPs in InCommon already support much of what's in the ATOS so no additional work on the spec or by the IdP is needed. Stay tuned. Ann On 3/13/14 1:09 PM, "Eric Goodman" <> wrote:
|
- [Assurance] NIST vs. TFS vs. Silver, Eric Goodman, 03/13/2014
- [Assurance] RE: NIST vs. TFS vs. Silver, Jones, Mark B, 03/13/2014
- <Possible follow-up(s)>
- Re: [Assurance] NIST vs. TFS vs. Silver, Ann West, 03/13/2014
- RE: [Assurance] NIST vs. TFS vs. Silver, Eric Goodman, 03/14/2014
- RE: [Assurance] NIST vs. TFS vs. Silver, Jones, Mark B, 03/14/2014
- RE: [Assurance] NIST vs. TFS vs. Silver, Eric Goodman, 03/14/2014
- Re: [Assurance] NIST vs. TFS vs. Silver, Ann West, 03/14/2014
- RE: [Assurance] NIST vs. TFS vs. Silver, Jones, Mark B, 03/14/2014
- RE: [Assurance] NIST vs. TFS vs. Silver, Eric Goodman, 03/14/2014
Archive powered by MHonArc 2.6.16.