identity assurance: when it matters david l. wasley internet2 / incommon
TRANSCRIPT
Identity Assurance:When it Matters
David L. Wasley
Internet2 / InCommon
2David L. Wasley
Service Providers rely on Identity Providers
• Basic InCommon IdP requirements are•Use best common practices•Publish what you do
• Some services need more formal rules•When there is risk if identity is wrong•Risks vary too …
3David L. Wasley
InCommon Enhanced Identity Services
• Identity assurance defined by sets of requirements and assessment criteria
• Initial 2 sets intended to satisfy Federal eAuthentication Levels 1 & 2
•See NIST Special Pub 800-63
•“Bronze” “Level 1”; “Silver” “Level 2”
• “Silver” will be required by NIH
4David L. Wasley
Identity Assurance Requirements
General areas to be considered include:
• Business, Policy and Operational Factors
• Identity Proofing
• Digital Electronic Credential Technology
• Credential Issuance and Management
5David L. Wasley
Identity Assurance Requirrements (cont.)
• Identity Information Management
• Security and Management of Authentication Events
• Identity Assertion Content•E.g. privacy issues …
• Technical Environment
6David L. Wasley
Identity Assurance Assessment
• Essentially an independent “audit”
• Criteria are defined by InCommon
• Assessor may be your Internal Auditor if that office is sufficiently independent
• External auditors may be used
• InCommon has -no- plans to do audits!
7David L. Wasley
Process will include
• Notify InCommon of intent• Have assessment performed• Provide (summary) of audit results• If acceptable, then InCommon will require an
addendum to the Participation Agreement• InCommon will add IdP qualifier(s) to metadata
• “Bronze” or both “Bronze” and “Silver”
• IdP then can include qualifiers in assertions•Mechanism yet T.B.D.
8David L. Wasley
Q & A ?