100 likes | 214 Views
InCommon Participant Operating Practices: Friend or Foe?. InCommon CAMP 21 June 2010 Paul Caskey, U.T. System. Agenda. Introducing the InCommon POP document Why is the POP Important? Examples of POPs Why might the POP be inappropriate? Introducing “Level of Assurance” (LoA)
E N D
InCommon Participant Operating Practices: Friend or Foe? InCommon CAMP 21 June 2010 Paul Caskey, U.T. System
Agenda • Introducing the InCommon POP document • Why is the POP Important? • Examples of POPs • Why might the POP be inappropriate? • Introducing “Level of Assurance” (LoA) • InCommon assurance framework and profiles • Issues/Questions/Discussion…
Introducing the InCommon POP Document • What is it? • Am I required to have a POP? • What goes into the POP? • Who writes it? • Who looks at it? • Does anyone ever check its accuracy? • How do you change it?
Why is the POP Important? • *YOU* are now part of my identity mgmt system and I need to know what types of risk that entails • The foundation of trust is understanding how those you rely on manage identities – the POP is how you achieve that • The “high-value transaction“… • Helps you to identify weaknesses in your process • Helps auditors measure your performance
Example of POPs • The InCommon "starter" document • http://www.incommonfederation.org/docs/policies/incommonpop_20080208.html • Institutional: • Many are there, but only InCommon registered contacts can see the URLs – some campuses feel this is sensitive information. • https://wiki.cac.washington.edu/display/infra/Shibboleth+for+UW+Web+Applications • http://its.lafayette.edu/about/policies/InCommonPoP • http://www.cit.cornell.edu/identity/InCommon.html • System-based: • UT System: https://idm.utsystem.edu/utfed/MemberOperatingPractices.pdf • Federation-based: • U.K. Federation: http://www.ukfederation.org.uk/content/Documents/FedDocs
Why might the POP be inappropriate? • Some are inclined to “hide” them (or URLs get changed) • Strong desire to “make it look good” or “how we plan on things working” • Can be speculative in terms of how things really work • POPs can become stale (practices/technologies change) • POPs are rarely/never verified (the “A” word…) • So, there needs to be some “teeth” in the operating practices to promote trust among participants……..
Introducing “Level of Assurance” (LoA)… • What is LoA? • What is LoA NOT? • Why is it stronger than a POP? • Who gets to set the standards? • Examples of LoA • How is the required level determined? • How is it used?
The InCommon Assurance Framework • What's an IAP? • Background • How are they used? • Bronze (http://www.incommonfederation.org/docs/assurance/InC_Bronze-Silver_IAP_1.0.1.pdf) • Silver (same URL as above) • How to get started?
Issues/Questions/Discussion… • Organization-based versus subject-based? (the "exception process") • What infrastructure is needed to implement higher LoAs? • Is LoA determined only at credentialing time or should there be a run-time component? • What about remote password resets? • How urgent is LoA?
Thank You! Contact Information:Paul Caskey (pcaskey@utsystem.edu)