Versions Compared

Old Version 22

changes.mady.by.user Colin Wallis

Saved on

compared with

New Version 23

changes.mady.by.user Colin Wallis

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

.........................................................................................................................................................................................................

From the Jan 2015 minutes:

Ken: Some have clearly defined requirements:

1)Governments as relying parties – Are there a common set of requirements that governments have of authoritative parties (Token, Attribute or Identity Providers)?  Do authoritative parties (Token, Attribute or Identity Providers) have expectations of governments that consume their assertions?

2) Governments as authoritative parties (Token, Attribute or Identity Providers) – are there concerns / restrictions on governments acting as an authoritative party? To internal government services, other jurisdictions or the private sector.

.......................................................

Keith: As discussed on the call, this page is a wiki comparing the various research and education federations.

https://refeds.terena.org/index.php/Federations

I feel a resource like this for eGov would be a great project for us to undertake and put on the Kantara wiki. It makes comparison of different technologies, models and policies very convenient.

This would take the excellent work done by the BCTF and add more information to the model, with a focus on eGov only.

http://kantarainitiative.org/confluence/display/bctf/Global+Trust+Framework+Survey

And of course we have the SAC (Service Assessment Criteria) that the Kantara Identity Assurance Framework uses for IdPs, that the IAWG is custodian of, that you see here (IAF 1400)
https://kantarainitiative.org/confluence/display/LC/Identity+Assurance+Framework
Look at the lists in section 4 and 5 of this
Section 4: COMMON ORGANIZATIONAL SERVICE ASSESSMENT CRITERIA
Enterprise and Service Maturity ..................................................................
Notices and User Information/Agreements ..................................................
Information Security Management ...............................................................
Security-relevant Event (Audit) Records......................................................
Operational infrastructure ............................................................................
External Services and Components ..............................................................
Secure Communications
Section 5: OPERATIONAL SERVICE ASSESSMENT CRITERIA.......................................
Credential Operating Environment ..............................................
Credential Issuing..........................................................................
Credential Renewal and Re-issuing...............................................
Credential Revocation...................................................................
Credential Status Management....................................................
Credential Verification/Authentication
We also have the discussion/list in the IETF about the Vectors of Trust which we should refer to
The trust vectors so far are (flip-sided as risk vectors thanks to Scott Shorter!):
Identity proofing/Identity theft
Credential Management/Credential Use
Assertion Presentation
And we have some basic security requirements from the likes of ISO 27001/27002

 

Excerpt from InCommon FOPPs- sections 6-10 most relevant

https://www.incommon.org/docs/policies/incommonfopp.html

 

 

......................................................................................................................................................