130 likes | 230 Views
Identity Assurance Profiles and Framework Documents: Peek into Proposed Ficam changes. 12/12/12. Topics. Background Big pic Detailed pic. Program Basics: Documents . Identity Assurance Assessment Framework Identity Assurance Profiles Bronze (NIST Level 1) Silver (NIST Level 2 )
E N D
Identity Assurance Profiles and Framework Documents:Peek into Proposed Ficam changes 12/12/12
Topics • Background • Big pic • Detailed pic
Program Basics: Documents • Identity Assurance Assessment Framework • Identity Assurance Profiles • Bronze (NIST Level 1) • Silver (NIST Level 2) • Assurance Addendum to the Participation Agreement
Program Basics: Assurance Advisory Committee (AAC) What is the AAC, and what does it do? • Represents stakeholders in the assurance process:IdPs, SPs, auditors • Oversight for program • Advisory to Steering • Assess applications, recommend approval (or denial) to Steering • Recommend changes to documents or program
Program Basics: Assurance Advisory Committee (AAC) Who is the AAC? • Tim Cameron, National Student Clearinghouse (SP) • Mary Dunker, Chair, Virginia Tech University (IdP) • Steve Devoti, University of Wisconsin-Madison (IdP) • 2nd Auditor • Jacob Farmer, Indiana University (member at large) • Chris Holmes, Baylor University (InCommon Steering) • Scott Koranda, University of Wisconsin-Milwaukee/LIGO (SP) • Steve Kurncz, Michigan State University (auditor) • Ann West, InCommon/Internet2 (InCommon staff)
Assurance Advisory Committee (AAC) Ex-Officio (non-voting) • Marilyn McMillan, New York University (InCommon Steering) • Tom Barton, University of Chicago (InCommon TAC) • Renee Shuey, Penn State (InCommon TAC) • Jack Suess, UMBC (InCommon Steering) For more information, visit http://www.incommon.org/assurance/aac.html
FICAM Trust Framework Providers • Identity Credential and Access Management Subcommittee • Federal CIO Council • Information Security and Identity Management Committee • Trust Framework Provider Adoption Process (2009) • Comparability assessment • 800-63 as basis for LoA requirements. Incorporates previous work done by the Feds as well under E-Authentication Initiative • Privacy, organizational maturity, legal status, authority for InCommon and for InCommon to assess for IdP Operators • Web SSO SAML2 Profile: Over the wire • Trust Framework Providers • InCommon, Kantara, OIX, Safe/BioPharma
InCommon’s History with FICAM • 2009-2010 • Spring - 1.0 begun review by FICAM. Community implememtatino begun. • Fall - Refining of Silver begun due to community feedback • 2011 • Spring – 1.1 Reviewed and approved by community • Fall – FICAM asks for Simplified Bronze. InCommon develops 1.2. • 2012 • Spring – 1.0 and InCommonfullly approved TFP. 1.2 reviewed and approved by community. InCommonsubmits1.2 to FICAM for their approval. • Est. 2013 • January – 1.2 approved by FICAM.
What’s the hold up? This is a new audit! • Federal availability • FICAM program evolving • Negotiating on behalf of Higher Ed • Changes reflected in 1.2 requires resubmission for the spec • Big pic items
Alternative Means • IAAF 1.1: “From time to time, InCommon may identify alternative means developed by experts from the Research & Higher Education sector as specifying means that are comparable or superior to identified requirements in one or more of its IAPs. “ • Page 2: “Normative criteria to be used in an assessment process are expressed in separate Identity Assurance Profile and approved alternative means documents.”
Who’s Spec is it Anyway? • Hot potato • Time and Trust • How do we evaluate these things? • Who gets to say? • Where will this show up? • Authentication technologies: multifactor • Cryptography: AD Silver Cookbook • Identity proofing: knowledge-based
Other Big Pics: Where we are… • Bronze audit and no-audit option • Bronze and 4.2.4 Credential Issuance and Management • Bronze and protection of PII • Registration and Credential Records Retention – 7.5 years • Approved Algorithm – Alternative Means • Scope: Profiles are password only – Alternative Means
What’s Next? • Develop Process for Alternative Means with Assurance Advisory Committee • Continue discussion to work through a couple detailed questions • Work on FICAM approval expected January 2013 • Publish FICAM-approved spec for community review • Announce implementation extravaganza and programs!