Skip to Content.
Sympa Menu

mfa-interop - Re: [MFA-Interop] DRAFT not to assurance@incommon.org about an MFA entity category

Subject: MFA Interop Working Group

List archive

Re: [MFA-Interop] DRAFT not to about an MFA entity category


Chronological Thread 
  • From: David Walker <>
  • To: <>
  • Subject: Re: [MFA-Interop] DRAFT not to about an MFA entity category
  • Date: Fri, 6 May 2016 16:44:08 -0700
  • Authentication-results: incommon.org; dkim=none (message not signed) header.d=none;incommon.org; dmarc=none action=none header.from=internet2.edu;
  • Spamdiagnosticmetadata: NSPM
  • Spamdiagnosticoutput: 1:23
Personally, I'd stay away from the word "assurance," and I was thinking more about compliance with the profile, rather than with the meaning of the entity category.  I've suggested the following edits int he document; how do they look?


  1. If we define an MFA entity category, what should its criteria be?  The group discussed the following:

    1. What does it mean for an IdP to “support MFA?”  Is it the ability to issue assertions in compliance with theassert the MFA profile for at least one member of its community?  Something else?

    2. Should the ability to issue assertions in compliance withassert the Base Level profile also be included so that SPs that prefer MFA but will accept anything else can do that with a single authentication request?  This would imply that the ability to assert Base Level be required of all members of the IdP’s community.

  2. WouldIs there value in a formal institutional declaration of compliance with thesupport for MFA profile cause you to trust its MFA assertions more?  Could that declaration be as simple as a box in the Federation Manager that would be checked by the site administrator, or should further documentation be required?


David


On 05/06/2016 01:20 PM, Eric Goodman wrote:
On the last bullet in the document, I'm not sure the bullet calls out that (IIRC) the question was about whether the category carries any "assurance" connotations that the campus is self-asserting vs. it being simply an operational assertion that the IdP can respond with the MFA (and perhaps base) context. 

Perhaps:

-Is there value in a formal institutional declaration of support for MFA?  

+Is there value in the entity category specifically representing a "self-asserted assurance" that the campus meets the profile, in addition to the technical/operational conformance elements identified above?

-Could that declaration be as simple as a box in the Federation Manager that could be checked by the site administrator?

+Could that declaration be as simple as a box in the Federation Manager that could be checked by the site administrator, as compared to relying on separate self-assurance documentation as is required for InCommon Bronze compliance?


Not sure that's better, but might be more specific. :)

--- Eric

-----Original Message-----
From:  [] On Behalf Of David Walker
Sent: Friday, May 06, 2016 12:29 PM
To: MFA Interoperability Profile Working Group
Subject: [MFA-Interop] DRAFT not to  about an MFA entity category

Everyone,

As promised, I've drafted a note for the Assurance list about our discussion yesterday of an IdP entity category to indicate MFA support. 
It's a Google Doc at
https://docs.google.com/a/internet2.edu/document/d/1Cdc7MeQIyrTCCU4aVfbcSnad8_oqV-5jK902VqkZQUE/edit?usp=sharing. 
As we discussed, please respond with comments quickly so the final version can be sent on Monday. 

Karen, we didn't discuss who would send it.  It's probably best from you, but I can send it, if you'd rather.

David

Attachment: signature.asc
Description: OpenPGP digital signature


Archive powered by MHonArc 2.6.16.

Top of Page