1 / 8

auEduPerson Schema Schema Derived from: - eduPerson - person [RFC 4517, RFC 4519] - organizationalPerson [RFC 4517, RFC

auEduPerson Schema Schema Derived from: - eduPerson - person [RFC 4517, RFC 4519] - organizationalPerson [RFC 4517, RFC 4519] - inetOrgPerson [RFC 2798] - schac - auEduPerson-specific

torn
Download Presentation

auEduPerson Schema Schema Derived from: - eduPerson - person [RFC 4517, RFC 4519] - organizationalPerson [RFC 4517, RFC

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. auEduPerson Schema Schema Derived from: - eduPerson - person [RFC 4517, RFC 4519] - organizationalPerson [RFC 4517, RFC 4519] - inetOrgPerson [RFC 2798] - schac - auEduPerson-specific See (Sep-09): https://wiki.caudit.edu.au/confluence/download/attachments/784/auEduPerson_attribute_vocabulary_v02+1+0.pdf?version=1 Alex Reid, AAF & AARNet

  2. auEduPerson Schema Standard Vocabulary: auEduPersonAffiliationauEduPerson auEduPersonLegalNameauEduPerson auEduPersonSharedTokenauEduPerson eduPersonAffiliationeduPerson eduPersonAssuranceeduPerson cnperson eduPersonPrimaryAffiliationeduPerson eduPersonPrincipalNameeduPerson eduPersonScopedAffiliationeduPerson eduPersonTargetedIDeduPerson givenNameinetOrgPerson mail inetOrgPerson mobile inetOrgPerson o inetOrgPerson postalAddressorganizationalPerson preferredLanguageinetOrgPerson schacGenderschac schacPersonalTitleschac schacPersonalUniqueCodeschac schacUserPresenceIDschac snperson telephoneNumberperson userCertificateinetOrgPerson userSMIMECertificateinetOrgPerson Alex Reid, AAF & AARNet

  3. auEduPerson Schema • Levels of Assurance Attributes Guided by: • NeAF: Australian National e-Authentication Framework • Liberty Alliance: Identity Assurance Framework v1.1 • NIST: SP800 63V1_0_2 • NIST chosen to align with, as it is the most widely used. However, it is not as definitive as desired, so reference is made to the LA Framework (which has more useful detail, but is subject to review at present). NeAF is still at a formative stage (but provides useful guidance on undertaking a risk assessment analysis). • NeAFand LA/Kantarawill be kept under review. • Two dimensions of LoA are defined: • Identity (or Registration) LoA: levels 1 to 4: eduPersonAssurance • Authentication LoA: levels 1 to 4: SAML AuthenticationMethod Alex Reid, AAF & AARNet

  4. auEduPerson Schema eduPersonAssurance (Identity or Registration LoA): 1= no identity proofing (but some assurance that this is the same person) 2= possession of some government-issued identity documents 3= detailed verification of valid government-issued picture Id required 4= in-person verification against government-issued picture Id SAML AuthenticationMethod (Authentication LoA): 1= simple passwords 2= password verified through a secure authentication protocol 3= 2-factor authentication through a cryptographic protocol 4= as for 3 but only hard cryptographic tokens allowed NOTE: the above summaries are very much simplified – see Schema document or LA Framework for details (especially as they relate to the difference between in-person & remote identity verification). Alex Reid, AAF & AARNet

  5. THIS SLIDE INTENTIONALLY LEFT BLANK Alex Reid, AAF & AARNet

  6. Federation Operator CPS Purpose: Establish rules for SAML operation. = SAML Metadata Signing Policy & Aggregation Practice Statement Framework. [cf the way RFC3647 Internet X.509 Public Key Infrastructure Certificate Policy & Certificate Practices Framework is used to manifest trustworthiness in a PKI Federation]. Process: a. Establish small group & set up mailing list, group pages; b. Small group develop draft; c. Submit to REFEDS, ECAM, MACE, TF-EMC2 for comment? d. Small group incorporate feedback; e. Submit to IETF for eventual endorsement? Alex Reid, AAF & AARNet

  7. Federation Operator CPS • Participants: • - Rodney McDuff • - Andrew Cormack • - VictorianoGiralt • - Scott Rea (Director of the HE Bridge Certificate Authority (HEBCA) Operating Authority (@ Dartmouth, USA) • - Leif Johansson. • Corresponding member: Milan Sova. • Lurkers: Licia Florio & Alex Reid. • Progress: • Members agreed; • Mailing List & Wiki set up; • see https://wiki.caudit.edu.au/confluence/display/SMAPS/Home • Rodney prepared a very preliminary draft; • Scott preparing a fleshing-out of the headings taken from RFC3647; • - Andrew to be asked to flesh out policy/legal/audit & Leif the dynamic metadata components. Alex Reid, AAF & AARNet

  8. Federation Operator CPS • Proposed 8 Sections to the Document: • Audit (Security & Compliance) • ID Proofing • Certificate Issuance • Certificate Maintenance • Personnel (Trusted Roles) • Physical & Logical Protection of Hardware • Certificate Status & Repository • Miscellaneous • [derived from RFC3647, so may vary as fleshed out] Alex Reid, AAF & AARNet

More Related