Versions Compared

Old Version 3

changes.mady.by.user Former user

Saved on

compared with

New Version Current

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Kantara Initiative Identity Assurance WG Teleconference

...

  • this is a higher ed federation looking to the IAF as a reference point for their federation; Kantara has been approached by the Haka Federation with some potential profiling needs for the IAF document.  Haka is a federation in R&E-space (like InCommon for Finland). They've asked to be allowed to profile AL1 and to be granted approval authority for AL1 (note: AL1 only!).
  • Quoting from Sami Silen from the Haka Federation:

 

I’ve been studying SAC and with it profiling would be the proper way to go.

 

 

 

There are couple of questions risen:

 

 

 

a)      Can we still do excel with where we also define “Haka Profiling column” in addition to criteria details if needed.  Or should we strictly use and SAC Document (http://kantarainitiative.org/confluence/download/attachments/41649275/Kantara+IAF-1400-Service+Assessment+Criteria.pdf)? Or do you have better template to fill? Or any example of profiled SAC?

 

 

 

b)      For us LoA1 (or 2, I’m  not sure yet) would be a good starting point but even without profiling there are requirement from greater level which goes to greater details, eg. In LoA1 there is
AL1_ID_IPV#010  - Required evidence - Accept a self-assertion of identity.
And in  LoA2 AL2_ID_IPV#010 - Required evidence - Ensure that the applicant is in possession of a primary Government Picture ID document that bears a photographic image of the holder.
If we’re going to fulfill LoA1 can we use AL2_ID_IPV#010 instead AL1_ID_IPV#010 or should we just profile AL1_ID_IPV#010 with details from that greater level criteria.

 

 

 

c)      Even without going greater level in SAC. In case we would just want to fill level2, can we still add some requirements from Level3 only because we want to add that, but still we’re just filling level2.
Or should we still just do it with profiling way? Add that detail to some other Kantara criterion which could be the best fit container for it?

 

 

 

d)     About prices

 

  1.  What kind of pricing scheme there is for Educational federation?
  2. Can we give Kantara LoA1 Approval for IdP’s or SP’s (as a federation operator) or what is the method and price for approval?

 

 

 

// Sami Silén


  • is Kantara willing to create a service approval authority valid only for a specific assurance level? Can Haka approve its members at AL1? Can Assessors be constrained only to do AL1, or must Assessors be able to handle all levels?
    • the way we have the assessment program set up, an Assessor can assess at any given level; but Haka likely can't afford the standard Assessor feeds - would the fees change for an Assessor that would only assess to AL1?  This might be more of a question for the ARB
    • the fee to be a Subscriber is based on the size and type of an organization; the Assessor fees are determined (partly) by the LOA
    • the question is, is there a mechanism where we can help Haka have cheap assessments? could Haka spin up an assessor that is independent enough that has cut a deal with institutions within the Haka federation to work with them?
      • this has also come up with discussions with Educause; higher education everywhere wants to do things as cheaply as possible and still wants to have authoritative standing; one idea that could help but would be up to Haka to implement, and that is: in an effort to jumpstart IT auditors, develop a senior seminar approach to combine IT and accounting, and have the class do the assessment and for LoA1 self assertion is reasonably acceptable
      • could Kantara spin up the service assessment authority approval/certification and approve Haka as a service assessment authority? and then it would be up to Haka to figure out how to do the assessments to figure out how they would do the assessments, and take Kantara mostly out of it; nominal annual fee (number of members in the federation + the non-profit subscriber fee)
        • note that this would only really work for small federations - InCommon and WAYF for instance have many many members and so their overall cost could turn out to be more than what we charge our largest global customers
        • if Haka is made a service approval authority, their approvals would never go to the ARB, they would go straight to the Board
        • we are talking about cross-certifying federations, and this needs to be discussed with both the ARB and the Board
    • if we go through this process, does that mean that what Haka is doing at L1 has to be comparable to what we are doing at L1, or if they start pulling in L2 in to L1, how does that impact what Kantara is doing?
      • unless we restructure the SAC to be part of everyone, then no, they cannot mix and match criteria
      • if they write a profile, fine, but it would be their profile; in the profile creation guidelines, we were clear to define that the profile is to make things more stringent, not to make a hodgepodge of the SAC; we are putting a lot on the profile to make a customizable thing, but we could create too many SACs
      • if the profile is for L1, and if they want to take criteria from other sources and make their profile more stringent for L1, they can, but it will still be an L1 certification
      • this may require a review of the SAC to make sure the language really does allow for this in a clear manner
  • ultimate decision is up to the ARB, but as far as the IAWG is concerned, they can do this with a unique profile; this should also be passed to the LC and the Board for consensus
    • Myisha will review the IAF to verify this is allowed

...