InCommon CAMP21 June 2010

Paul Caskey, U.T. System

AgendaIntroducing the InCommon POP documentWhy is the POP Important?Examples of POPsWhy might the POP be inappropriate?Introducing “Level of Assurance” (LoA)InCommon assurance framework and profilesIssues/Questions/Discussion…

Introducing the InCommon POP DocumentWhat is it?

Am I required to have a POP?

What goes into the POP?

Who writes it?

Who looks at it?

Does anyone ever check its accuracy?

How do you change it?

Why is the POP Important?*YOU* are now part of my identity mgmt

system and I need to know what types of risk that entails

The foundation of trust is understanding how those you rely on manage identities – the POP is how you achieve that

The “high-value transaction“…Helps you to identify weaknesses in your

processHelps auditors measure your performance

Example of POPsThe InCommon "starter" document

http://www.incommonfederation.org/docs/policies/incommonpop_20080208.html

Institutional:Many are there, but only InCommon registered contacts

can see the URLs – some campuses feel this is sensitive information.

https://wiki.cac.washington.edu/display/infra/Shibboleth+for+UW+Web+Applications

http://its.lafayette.edu/about/policies/InCommonPoP http://www.cit.cornell.edu/identity/InCommon.html

System-based:UT System:

https://idm.utsystem.edu/utfed/MemberOperatingPractices.pdf

Federation-based:U.K. Federation:

http://www.ukfederation.org.uk/content/Documents/FedDocs

Why might the POP be inappropriate?Some are inclined to “hide” them (or URLs get

changed)

Strong desire to “make it look good” or “how we plan on things working”

Can be speculative in terms of how things really work

POPs can become stale (practices/technologies change)

POPs are rarely/never verified (the “A” word…)

So, there needs to be some “teeth” in the operating practices to promote trust among participants……..

Introducing “Level of Assurance” (LoA)…What is LoA?What is LoA NOT?Why is it stronger than a POP?Who gets to set the standards?Examples of LoAHow is the required level determined?How is it used?

The InCommon Assurance FrameworkWhat's an IAP?

Background

How are they used?

Bronze (http://www.incommonfederation.org/docs/assurance/InC_Bronze-Silver_IAP_1.0.1.pdf)

Silver (same URL as above)

How to get started?

Issues/Questions/Discussion…Organization-based versus subject-based?

(the "exception process")What infrastructure is needed to implement

higher LoAs?Is LoA determined only at credentialing time

or should there be a run-time component?What about remote password resets?How urgent is LoA?

Contact Information:Paul Caskey (pcaskey@utsystem.edu)