A complete Code of Conduct might include Sections for ...A) Data Protection, B) Admin and Marketing, plus other aspects to make it comprehensive..
It assumes (1) a set of agreed definitions and (2) a legal contract to make all obligations clear for interpretation.
Colin: July 2015: Trying to find a template for this work. Here is something informed by GEANT's Data Protection one.. via Clarin..
https://www.clarin.eu/content/how-can-i-comply-data-protection-code-conduct
and you can see the various Codes here..Data Protection, etc, non normative informational docs..very good they are too!
http://www.geant.net/uri/dataprotection-code-of-conduct/V1/Pages/default.aspx
(a) [Payment] pay the Charges in accordance with XXXX clause;
(b) [Co-operation] co-operate with IdP personnel t in connection with its operation and safe-guarding of the Service/s;
(c) [Standards Compliance] comply with any standards or specifications issued by the XXIdP/APXX and any reporting obligations required by the IdP from time to time in accordance with any relevant legislation;
(d) [Audit] provide appropriate assistance, where reasonably requested by IdP, in carrying out any audit of the Client’s use of the Services or related systems or suppliers;
(e) [Federation Reporting] participate in progress reporting as specified in the Service Schedule;
(f) advise IdP promptly of any Service anomalies, suspicious or unusual usage, or complaints relating to the Services and provide reasonable assistance to IdP in the investigation of such anomalies, usage or complaints;
(g) ensure that the Client’s website terms and conditions explain the inter-relationship of the Services and the Client’s systems in terms agreed with IdP;
(h) comply with all applicable laws including, without limitation, the Privacy Act 1993;
(i) subject to clause XXX, use its best endeavours to promote the Services to its customer base to encourage service uptake and use;
(j) maintain the Service Interface including the security between the Client’s systems and the Service System;
(k) maintain certification as defined in the Service Integration Guide;
(l) notify IdP of any network changes or certification renewals that may impact on any part of the Service;
(m) ensure that the security and privacy of Service are protected to the greatest extent practicable; and
(n) notify Service Users of the requirements and process published by IdP for Service Users to obtain a Login and verify their Identity.
placeholder
From the Jan 2015 minutes:
Ken: Some have clearly defined requirements:
1)Governments as relying parties – Are there a common set of requirements that governments have of authoritative parties (Token, Attribute or Identity Providers)? Do authoritative parties (Token, Attribute or Identity Providers) have expectations of governments that consume their assertions?
2) Governments as authoritative parties (Token, Attribute or Identity Providers) – are there concerns / restrictions on governments acting as an authoritative party? To internal government services, other jurisdictions or the private sector.
.......................................................
Incommon, Safe Biopharma
UK has come up with some
USA has come up with some
6-10 clearly identified
......................................................................
Keith: As discussed on the call, this page is a wiki comparing the various research and education federations.
https://refeds.terena.org/index.php/Federations
I feel a resource like this for eGov would be a great project for us to undertake and put on the Kantara wiki. It makes comparison of different technologies, models and policies very convenient.
This would take the excellent work done by the BCTF and add more information to the model, with a focus on eGov only.
http://kantarainitiative.org/confluence/display/bctf/Global+Trust+Framework+Survey
...........................................................................................................................................................
1.1 Client Responsibilities
The Client will:
(a) pay the Charges in accordance with clause 6;
(b) co-operate with IdP personnel t in connection with its operation and safe-guarding of the Service/s;
(c) comply with any standards or specifications issued by the IdP and any reporting obligations required by the IdP from time to time in accordance with any relevant legislation;
(d) provide appropriate assistance, where reasonably requested by IdP, in carrying out any audit of the Client’s use of the Services or related systems or suppliers;
(e) participate in progress reporting as specified in the Service Schedule;
(f) advise IdP promptly of any Service anomalies, suspicious or unusual usage, or complaints relating to the Services and provide reasonable assistance to IdP in the investigation of such anomalies, usage or complaints;
(g) ensure that the Client’s website terms and conditions explain the inter-relationship of the Services and the Client’s systems in terms agreed with IdP;
(h) comply with all applicable laws including, without limitation, the Privacy Act 1993;
(i) subject to clause XXX, use its best endeavours to promote the Services to its customer base to encourage service uptake and use;
(j) maintain the Service Interface including the security between the Client’s systems and the Service System;
(k) maintain certification as defined in the Service Integration Guide;
(l) notify IdP of any network changes or certification renewals that may impact on any part of the Service;
(m) ensure that the security and privacy of Service are protected to the greatest extent practicable; and
(n) notify Service Users of the requirements and process published by IdP for Service Users to obtain a Login and verify their Identity.
....................................................................................................................................................................................................
Excerpt for InCommon FOPs
6 Registration, Identification and Authentication of Participant's Trusted Officers
InCommon verifies the identity of all individuals who fill the Participant's trusted roles of Executive and Administrator (see the InCommon website for definitions). By constructing an independently verifiable, out-of-band communication path with these officers, the Registration Authority establishes a sufficiently strong level of assurance that the person is who he or she declares. Details on the registry process are available on the InCommon website.
7 Registration and Management of Participant Policies, Systems, and Technical Components
The Participant's trusted Administrator will be given credentials to manage Federation Participant data and requests in a secure manner.
7.1 Types of Registered Systems: Identity Providers and Service Providers
Within the Federation, participants may offer services as an Identity Provider for their respective user community, as a Service Provider to any participant organization's user community, or both. For instance, a Higher Education Institution serving primarily as an Identity Provider might also make online information or services available to other InCommon participants. Similarly, a Sponsored Partner that is primarily a provider of online services might also act as an Identity Provider.
Participants register identity management systems and/or service provider systems using the InCommon participant administrative interface. Higher Education Institutions and Sponsored Partners receive an initial quota for each system type and can purchase more as needed, subject to certain restrictions, as outlined in the Participation Agreement and Fee Schedule available on the InCommon website.
7.2 Relationship of Systems to Participant
Any identity management system or service provider system registered by a Participant must be under the management hierarchy of the Participant organization. The Participant is responsible for the actions of any system registered with the Federation. Participants may only register third party systems that operate services under contract to Participant and for which Participant will be responsible, in accordance with the provisions of the Participation Agreement. Such third party systems might, for example, include outsourced identity management services.
7.3 Required Information Components
7.3.1 Participant Operating Practices
A fundamental expectation of Federation Participants is that they provide authoritative and accurate attribute assertions to other participants and that participants receiving an attribute assertion protect it and respect any privacy constraints placed on it by the Federation or the source of that information.
To support this goal, each Participant must describe its relevant operations in a Participant Operating Practices (POP) statement and share this POP with Federation Participants. The template POP is available on the InCommon website. In some cases, multiple systems can be described in one POP. A current version of the POP must always be available to the Federation and Participant Administrators. InCommon does not review such Participant Operating Practices against any criteria of performance. The POP is a self-asserted declaration by each Participant of its current practices. More information about POP requirements is available on the InCommon website.
7.3.2 Metadata
A Participant Administrator registers its Identity Provider and Service Provider systems through the participant administrative interface by describing components of its systems. The data are collected and digitally signed by InCommon. Secure, up-to-date, trusted information about all Participants and their systems is a core service of the Federation. InCommon will make reasonable efforts to verify submitted data, and will act in accordance with the practices outlined in the InCommon Operations reference, available on the InCommon website.
Metadata may be removed or modified by Participant Administrators through the participant administrative interface. Changes to metadata are updated within one Internet2 business day following the submission. Under special circumstances, Participant Executives or Administrators may make removal requests via e-mail or telephone as listed on the InCommon website. InCommon will verify these requests using trusted communication channels before processing any removal requests.
Transmission of Federation metadata to Participants is not initiated by InCommon. Instead, Participants are expected to retrieve Federation metadata on a regular basis.
7.3.2.1
7.3.2.2 Declaration of Participant Assurance Program Certification
InCommon adds a declaration of certification status to the metadata of each Participant's certified identity providers. Only InCommon can supply or modify Assurance metadata declarations. InCommon will remove any declaration when necessary to effect suspension of a certification or termination of a Participant from the program.
8 8.1 Disputes Among Participants
8.2 Disputes Between Participant(s) and the Federation
9.1 Operational Assurance Level
9.1.1 Central Operations .... so the RP Code of Conduct should include a clause agreeing to follow these..
Complete procedures were developed detailing InCommon's central operations. Information security industry standards and practices[1] were used to establish the necessary level of assurance. These operations and procedures were approved by a technical advisory group of Internet2 Middleware Architects. A public listing of these procedures can be found on the InCommon website.
9.1.2 Operations Staff Credentials and Authorization
Operations staff who perform actions critical to security or trustworthiness of Federation operations or services are issued strong identity credentials, commensurate with the risk incurred by unauthorized access to such actions.
9.2 Communications and Support
9.3 Federation Technical Infrastructure
9.3.1 Discovery Service (DS)
9.3.2 Metadata Distribution ..... so the PR is obliged to consume it?
InCommon digitally signs and makes available to Participants metadata submitted by all Participants for interoperation of Identity Provider and Service Provider systems. The metadata is maintained on redundant servers.
9.3.3 Participant Administrative Interface
Federation Participant Administrators use the Participant Administrative Interface to securely manage the data relevant to their organization's participation in the Federation. The particular tasks include submitting certificate signing requests, Participant Operating Practices, and submitting or modifying Participant metadata.
9.3.4 Suspension of Federation Services
9.4 Disaster Recovery
10 Participation Status: Renewal, Withdrawal, Termination, and Suspension
.......................................................................................................................................................