...
- Since May there have been discussion calls on 800-63-3 update and compilation of comments from those ad-hoc meetings. A comment matrix with almost 40 items was circulated to the Working Group before the submission to NIST through the GitHub system. Comments submitted are available at the IAWG wiki: https://kantarainitiative.org/confluence/display/idassurance/800-63-3+Review
- IDESG has prepared a comparison tool to see if the KI Service Assessment Criteria (SAC) meets the baseline requirements of the IDESG Identity ecosystem and how. The mapping is under IAWG review. IDESG has a Registry of entities that claim some level of meeting the baseline requirements, the concept is to use existing federations and TFPs communities to claim credit for some of these requirements. IAWG question: If a CSP is an approved KI entity what requirements are fully satisfied and what are partially satisfied? The catalyst of this pilot was the IDESG liaison to KI. The mapping is a learning exercise and the benefits are being evaluated. After the review of the process there will be more clarity on the way forward, as will then apply to other Trust Frameworks.
...
- IAWG is interested in reviewing the schema for attribute metadata, NISTIR 8112, which is for public comment until end of September, and will schedule a community discussion in parallel to the GitHub system. IAWG discussion link: https://kantarainitiative.org/confluence/display/idassurance/NISTIR+8112+Attribute+Metadata+community+review?src=contextnavchildmode
...
Incommon Update
- Incommon is looking to raise the level of trust across their participants, which includes not only identity assurance but also interoperability work and security related practices to service providers to ensure that the identity data is not compromised. They have been working on the Baseline practices for Identity Providers, Service Providers Federation Operators.
- Ongoing work on the Multifactor Authentication Interoperability profile, the Service Provider can request it to ensure that the user has used multifactor. It is a way of requesting a self -asserting that you use multifactor, in the future there may be a tag in the metadata associated to the service provider and identity provider and there will be requirements for that in trustmark fashion.
...
- Incommon is participating in a EU research group, the Federated Identity Management for Research Collaborations (FIM4R), where researchers provided solutions to the gaps they have identified. GEANT has leaded the report and The European Commission has funded parts of it. The paper includes, a Federated Internet Response mechanism, a framework for IdPs, CSPs and RPs to support federated Internet response when needed, and a security context that is shared through a shared metadata service. There is a global metadata service called eduGAIN, which aggregates metadata from research and education federations. There is also a tag or entity attribute that is shared in metadata that indicates which IdPs, Services Providers and RPs support this. It is relevant as currently there are not requirements to notify the service providers of a compromised credential. Link to the FIM4R paper: https://cdsweb.cern.ch/record/1442597/files/CERN-OPEN-2012-006.pdf
...