MFA Interop Working Group

[Eric Goodman <>]

 

Item 1 and the sub bullets are all about what the entity category is intended to signal about technical SAML-level interoperability questions at the IdP. The words “assurance” or “compliance” should not appear anywhere within that item as I interpreted the conversation on the call. I would leave the entire bullet item #1 unchanged.

 

Item 2 is focused on what the entity category signals at a policy level. This is the only place I was suggesting adding “assurance” (or whatever word people prefer). I specifically suggested the wording change only for the second item to clarify the difference in focus between the two points.

 

--- Eric

 

From: [mailto:] On Behalf Of David Walker
Sent: Friday, May 06, 2016 4:44 PM
To:
Subject: Re: [MFA-Interop] DRAFT not to about an MFA entity category

 

Personally, I'd stay away from the word "assurance," and I was thinking more about compliance with the profile, rather than with the meaning of the entity category.  I've suggested the following edits int he document; how do they look?

1.    If we define an MFA entity category, what should its criteria be?  The group discussed the following:

a.    What does it mean for an IdP to “support MFA?”  Is it the ability to issue assertions in compliance with theassert the MFA profile for at least one member of its community?  Something else?

b.    Should the ability to issue assertions in compliance withassert the Base Level profile also be included so that SPs that prefer MFA but will accept anything else can do that with a single authentication request?  This would imply that the ability to assert Base Level be required of all members of the IdP’s community.

2. WouldIs there value in a formal institutional declaration of compliance with thesupport for MFA profile cause you to trust its MFA assertions more?  Could that declaration be as simple as a box in the Federation Manager that would be checked by the site administrator, or should further documentation be required?

David

On 05/06/2016 01:20 PM, Eric Goodman wrote:

On the last bullet in the document, I'm not sure the bullet calls out that (IIRC) the question was about whether the category carries any "assurance" connotations that the campus is self-asserting vs. it being simply an operational assertion that the IdP can respond with the MFA (and perhaps base) context. 

Perhaps:

-Is there value in a formal institutional declaration of support for MFA?  

+Is there value in the entity category specifically representing a "self-asserted assurance" that the campus meets the profile, in addition to the technical/operational conformance elements identified above?

-Could that declaration be as simple as a box in the Federation Manager that could be checked by the site administrator?

+Could that declaration be as simple as a box in the Federation Manager that could be checked by the site administrator, as compared to relying on separate self-assurance documentation as is required for InCommon Bronze compliance?

Not sure that's better, but might be more specific. :)

--- Eric

-----Original Message-----

From:  [] On Behalf Of David Walker

Sent: Friday, May 06, 2016 12:29 PM

To: MFA Interoperability Profile Working Group

Subject: [MFA-Interop] DRAFT not to  about an MFA entity category

Everyone,

As promised, I've drafted a note for the Assurance list about our discussion yesterday of an IdP entity category to indicate MFA support. 

It's a Google Doc at

https://docs.google.com/a/internet2.edu/document/d/1Cdc7MeQIyrTCCU4aVfbcSnad8_oqV-5jK902VqkZQUE/edit?usp=sharing. 

As we discussed, please respond with comments quickly so the final version can be sent on Monday. 

Karen, we didn't discuss who would send it.  It's probably best from you, but I can send it, if you'd rather.

David