Introduction
The purpose of this document (Report: Code of Conduct for Relying Parties) is to give supporting guidance to the controlling documents of the Identity Assurance Framework (IAF), as developed by the Kantara Initiative, Inc. In certain contexts or domains involving Attribute Providers, it could be extended and modified for use as wellthe fullness of time this document may be used to extend the IAF and its controlling document suite to include the role of Relying Parties (RPs). The intended audience for this document are Trust Framework operators and actors deploying or assuming a role in the IAF that may be considering such an extension that brings RPs into scope.
The document is not intended to be a complete set of requirements for good behaviour of Relying Parties that might span the full extent of an organization's policies, processes and procedures. To do so would have the negative effect of duplicating much of that existing work. This document does give pointers to a Rather, this document gives pointers to therange of topics that would typically address aspects of such a code of conduct. should typically be addressed in describing this set of requirements as suggested Table of Contents headings with a few exemplars of those headings described in more detail.
A complete Code of Conduct for Relying Parties might include Sections for ...A) Data Protection, B) Admin, Record Keeping and Process, C) Audit and Compliance, D) Exit and Off Boarding E) Marketing, plus other aspects applicable to a given context or domain to make it comprehensive.
Assumptions
...
On conceptualizing a typical Table of Contents for a code of Conduct for Relying Parties
This report offers an insight into what a typical Code of Conduct for Replying Parties might contain, by presenting a draft Table of Contents for such a document. Further, it assumes that the Code of Conduct for Relying Parties would form just one component of a larger document suite covering other aspects of federated identity activities.
It assumes a priori that the following artefacts and conditions exiat in that broader framework document set for the federation, namely: (1) a set of agreed definitions/terminology, (2) Scope and specification of the Replying Party activities, (3) a legal contract in force to make all obligations clear for interpretation, (4) that a federated trust framework is operating, (5) that a quality ISMS is operating in the RP/AP environments..
As explained With the above , this conditions met, a Table of Contents for the Code of Conduct assumes that it forms part of a more comprehensive companion document whose Table of Contents for Relying Parties aspect of the docuemnt set might include:
Introduction and Purpose
...
Activities in scope for the Relying Party
Data Protection Protection*
Administration, Record Keeping and processes/procedures procedures*
Audit and Compliance
Exit and Off boarding*
Marketing
* (note: example text for this topic has been drafted below)
...........................................
References
GEANT:http://www.geant.net/uri/dataprotection-code-of-conduct/V1/Pages/default.aspx (accessed from https://www.clarin.eu/content/how-can-i-comply-data-protection-code-conduct)
Federal Government of Canada: 'Adding and removing Credential Service Providers under the Credential Broker Service' TBS Canada, CIO Branch, Feb 2015, Version 4.0
Kantara Initiative: Identity Assurance Framework
InCommon: https://www.incommon.org/docs/policies/InCommonFOPP.pdf
IETF: Vectors of Trust: https://datatracker.ietf.org/doc/draft-richer-vectors-of-trust/?include_text=1 for the latest version, taken from https://www.ietf.org/mailman/listinfo/vot
NZ RealMe: https://www.realme.govt.nz/ though the MOU from which some text for the Admin, Record-Keeping and Processes/Procedures section is not published
TERENA: https://refeds.terena.org/index.php/Federations
...................................................................................................................................
...
Exemplar draft text for the Table of Contents headings above selected and marked as *
Data Protection
(a) [Payment] pay the Charges in accordance with XXXX clause in the Federation Agreement;
...
(h) [ Maintenance and notification ] use and maintain the Service Interface including the security between the Client’s systems and the Service System; register/modify/remove/retrieve meta-data, maintain PKI certificates as defined in the XX Federation Documentation XX; notify IdP of any network changes or certification renewals that may impact on any part of the Service, use the Admin interface to register and update details relating to the Service and the officers charged with administering the service
Exit and Off boarding
(a) [Exit and off boarding]: RP must have an explicit written policy to address and mitigate impacts to existing users (e.g portability of accounts if feasible, re-enrollment, credential switching) in the event that the RP terminates or is terminated from its role.
(b) [Exit and off boarding]: RP must have predetermined processes to put into action to update Helpdesk on status, call handling procedures and documentation, website information, test scripts and system flows to reflect the terminated state of the RP
References
GEANT: http://www.geant.net/uri/dataprotection-code-of-conduct/V1/Pages/default.aspx (accessed from https://www.clarin.eu/content/how-can-i-comply-data-protection-code-conduct)
Federal Government of Canada: 'Adding and removing Credential Service Providers under the Credential Broker Service' TBS Canada, CIO Branch, Feb 2015, Version 4.0
Kantara Initiative: Identity Assurance Framework
InCommon: https://www.incommon.org/docs/policies/InCommonFOPP.pdf
IETF: Vectors of Trust: https://datatracker.ietf.org/doc/draft-richer-vectors-of-trust/?include_text=1 for the latest version, taken from https://www.ietf.org/mailman/listinfo/vot
NZ RealMe: https://www.realme.govt.nz/ though the MOU from which some text for the Admin, Record-Keeping and Processes/Procedures section is not published
TERENA: https://refeds.terena.org/index.php/Federations
.........................................................................................................................................................................................................