80 likes | 203 Views
auEduPerson Schema Schema Derived from: - eduPerson - person [RFC 4517, RFC 4519] - organizationalPerson [RFC 4517, RFC 4519] - inetOrgPerson [RFC 2798] - schac - auEduPerson-specific
E N D
auEduPerson Schema Schema Derived from: - eduPerson - person [RFC 4517, RFC 4519] - organizationalPerson [RFC 4517, RFC 4519] - inetOrgPerson [RFC 2798] - schac - auEduPerson-specific See (Sep-09): https://wiki.caudit.edu.au/confluence/download/attachments/784/auEduPerson_attribute_vocabulary_v02+1+0.pdf?version=1 Alex Reid, AAF & AARNet
auEduPerson Schema Standard Vocabulary: auEduPersonAffiliationauEduPerson auEduPersonLegalNameauEduPerson auEduPersonSharedTokenauEduPerson eduPersonAffiliationeduPerson eduPersonAssuranceeduPerson cnperson eduPersonPrimaryAffiliationeduPerson eduPersonPrincipalNameeduPerson eduPersonScopedAffiliationeduPerson eduPersonTargetedIDeduPerson givenNameinetOrgPerson mail inetOrgPerson mobile inetOrgPerson o inetOrgPerson postalAddressorganizationalPerson preferredLanguageinetOrgPerson schacGenderschac schacPersonalTitleschac schacPersonalUniqueCodeschac schacUserPresenceIDschac snperson telephoneNumberperson userCertificateinetOrgPerson userSMIMECertificateinetOrgPerson Alex Reid, AAF & AARNet
auEduPerson Schema • Levels of Assurance Attributes Guided by: • NeAF: Australian National e-Authentication Framework • Liberty Alliance: Identity Assurance Framework v1.1 • NIST: SP800 63V1_0_2 • NIST chosen to align with, as it is the most widely used. However, it is not as definitive as desired, so reference is made to the LA Framework (which has more useful detail, but is subject to review at present). NeAF is still at a formative stage (but provides useful guidance on undertaking a risk assessment analysis). • NeAFand LA/Kantarawill be kept under review. • Two dimensions of LoA are defined: • Identity (or Registration) LoA: levels 1 to 4: eduPersonAssurance • Authentication LoA: levels 1 to 4: SAML AuthenticationMethod Alex Reid, AAF & AARNet
auEduPerson Schema eduPersonAssurance (Identity or Registration LoA): 1= no identity proofing (but some assurance that this is the same person) 2= possession of some government-issued identity documents 3= detailed verification of valid government-issued picture Id required 4= in-person verification against government-issued picture Id SAML AuthenticationMethod (Authentication LoA): 1= simple passwords 2= password verified through a secure authentication protocol 3= 2-factor authentication through a cryptographic protocol 4= as for 3 but only hard cryptographic tokens allowed NOTE: the above summaries are very much simplified – see Schema document or LA Framework for details (especially as they relate to the difference between in-person & remote identity verification). Alex Reid, AAF & AARNet
THIS SLIDE INTENTIONALLY LEFT BLANK Alex Reid, AAF & AARNet
Federation Operator CPS Purpose: Establish rules for SAML operation. = SAML Metadata Signing Policy & Aggregation Practice Statement Framework. [cf the way RFC3647 Internet X.509 Public Key Infrastructure Certificate Policy & Certificate Practices Framework is used to manifest trustworthiness in a PKI Federation]. Process: a. Establish small group & set up mailing list, group pages; b. Small group develop draft; c. Submit to REFEDS, ECAM, MACE, TF-EMC2 for comment? d. Small group incorporate feedback; e. Submit to IETF for eventual endorsement? Alex Reid, AAF & AARNet
Federation Operator CPS • Participants: • - Rodney McDuff • - Andrew Cormack • - VictorianoGiralt • - Scott Rea (Director of the HE Bridge Certificate Authority (HEBCA) Operating Authority (@ Dartmouth, USA) • - Leif Johansson. • Corresponding member: Milan Sova. • Lurkers: Licia Florio & Alex Reid. • Progress: • Members agreed; • Mailing List & Wiki set up; • see https://wiki.caudit.edu.au/confluence/display/SMAPS/Home • Rodney prepared a very preliminary draft; • Scott preparing a fleshing-out of the headings taken from RFC3647; • - Andrew to be asked to flesh out policy/legal/audit & Leif the dynamic metadata components. Alex Reid, AAF & AARNet
Federation Operator CPS • Proposed 8 Sections to the Document: • Audit (Security & Compliance) • ID Proofing • Certificate Issuance • Certificate Maintenance • Personnel (Trusted Roles) • Physical & Logical Protection of Hardware • Certificate Status & Repository • Miscellaneous • [derived from RFC3647, so may vary as fleshed out] Alex Reid, AAF & AARNet