Difference between revisions of "EGI-Engage:TASK JRA1.1 Proposal for Levels of Assurance"
|Line 27:||Line 27:|
== LoA: B ==
== LoA: B ==
This category groups accounts coming from Identity Providers, which support the
This category groups accounts coming from Identity Providers, which support the , [https://refeds.org/wp-content/uploads/2016/01/Sirtfi-1.0.pdf SIRTFI] and the [https://refeds.org/wp-content/uploads/2016/09/ENTCAT-RANDS-v1.3.pdf Research & Scholarship Entity Category]<br>
<br> '''This category is expressed with LoA B and is equivelant to IGTF'''<span style="font-size: 13.28px;"> '''
<br> '''This category is expressed with LoA B and is equivelant to IGTF '''<span style="font-size: 13.28px;"> ''''''/
== LoA: C ==
== LoA: C ==
Revision as of 17:44, 25 November 2016
|EGI-Engage project:||Main page||WP1(NA1)||WP3(JRA1)||WP5(SA1)||PMB||Deliverables and Milestones||Quality Plan||Risk Plan||Data Plan|
|WP2(NA2)||WP4(JRA2)||WP6(SA2)||AMB||Software and services||Metrics||Project Office||Procedures|
This wiki pages is a work in progress and it contains a draft proposal for the categorization of the levels of assurance in the scope of the EGI CheckIn service. The CheckIn service aggregates authentication and authorization information from different sources, which have different levels of assurance and may release only a subset of the required attributes. The combined information from the aggregated sources of authentication information results in an overall LoA that is embedded in the assertion sent to the services provider in the EGI Federation.
Level of Assurance
This section contains the proposed categories of level of assurance as interpreted and published by the EGI AAI Proxy (CheckIn service).
This category groups the credentials with basically no LoA associated. Examples are social-identity credentials with no vetting and no uniqueness of the ID guaranteed.
This catogory does not allow to access most of the EGI services, but could be used to access read-only open datasets and track in a qualitative way the number of accesses to a dataset. No sensitive activities can be accessed with this basic credential.
For this category no LoA is assigned
This category groups accounts coming from Identity Providers, which participate in one of the eduGAIN Federations
This category is expressed with LoA: A
This category groups accounts coming from Identity Providers, which fulfill the all the requiremens of LoA: B and in addition the meet the requirement of IGTF BIRCH
This category is expressed with LoA C and is equivelant to IGTF BIRCH
Notes and comments
Side discussion about LoA definitions
Currently we are using Low/Substantial/High:
Proposal to use 4 levels:
- ZERO: Social IDs or self-registration
- LOW: IdP from federations in eduGAIN
- BASELINE: https://aarc-project.eu/wp-content/uploads/2015/11/MNA31-Minimum-LoA-level.pdf
- BIRCH: https://www.igtf.net/ap/authn-assurance/
History of edits
First version from Peter Solagna 30-09-2016