...
In any conformity assessment program, you have to make decisions around what the scope is going to be for the different programs. In terms of performing an assessment, it doesn’t matter if it is a CSP or an RP. There is a set of requirements that are assessed and either they are being met – or not. The problem potentially with RPs is that if it’s a large community, how long will it take? How complex does that make it? How does one even manage the logistics? Do we end up with RPs entering into separate agreements? Or a blanket agreement? None of this is really NIST’s responsibility to answer but they will be the principal consideration when Kantara moves forward.
Kantara does not have any FAL approvals. For CSPS and assessors, does this revision 4 draft make the path easier to certification? Will CSPs become more likely to want to be certified for 63C now?
Kantara had to formally invent/define federation agreement and federation authority to make the current KIAF-1450 requirements in order to have something that could implemented and able to be assessed. With rev. 4 now formally addressing both of those concepts, it makes it easier/better to determine if an organization aligns. Individual organizations will need to have internal discussions if they conform and if not, what can be changed to conform.
NIST tried to ensure that the requirements that are included would cover both the large-scale formal federations (InCommon) as well as the much more dynamic point-to-point federations (logging into a new website where my IDP has never seen). When NIST says federation, they are talking about the use of federation protocols to convey authentication and attribute information about the subject to the RP. That is hopefully clear from the introductory text in both the base volume and 63c. In that narrow definition of federation, that pulls in that trust agreement, federation agreement, federation operators – and other types of things to make that happen. Fundamentally, when NIST talks about federation they are talking about a connection/conveyance of information. It is fully intended to spread across all of those different use cases – not just the formal ones.
Final note on federation from NIST:
...