Federated Incident Response

[Brett Bieber <>]

Scott Koranda posted the following comment in the Incident Response section of the Google-doc:

"This section describes an organization's interactions with other organizations participating in the framework. So why does an agreement that one organization aware of an incident will notify the other not belong in this document and in this section?

Scott's comment raised some similar questions in my head that could occur when a subject believes their credential has been compromised, and the follow-on situation—when the IdP operator believes one of their user's credentials has been compromised.

There's nothing in the document that describes any relationship to the subjects/actors, besides some logging/traceability and the ability to contact users. There's also no obligations or requirement placed on the member to notify other Sirtfi members of an incident, only that they're "...able and willing to collaborate...with [other Sirtfi participants]"

I feel that Sirtfi members should be able and willing to respond to an incident report from their own users (which are not themselves Sirtfi members), and to notify known affected Sirtfi participants.

Were those aspects intentionally omitted from the IR section? and

Is it acceptable/understood that the established incident response process at the participant [IR4], will includes these aspects, and can be left out of the IR section?

Thanks,

-Brett