Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.

Difference between revisions of "SPG:Drafts:Acceptable Authentication Assurance"

From EGIWiki
Jump to navigation Jump to search
 
(11 intermediate revisions by 2 users not shown)
Line 1: Line 1:
= Policy on Acceptable Authentication Assurance  =
= Policy on Acceptable Authentication Assurance  =


This draft policy is currently being developed. It is an update of the old policy "Approval of Certification Authorities".
This policy is effective from <DATE> and replaces the earlier policy "Approval of Certification Authorities" [R1]. This policy is one of a set of documents that together define the Security Policy [R2]. This individual document must be considered in conjunction with all the policy documents in the set.


It is being updated to cover the current IGTF levels of assurance and other changes.
All terms are defined in the Glossary [R3].


The original policy is available at https://documents.egi.eu/document/83
== Introduction ==


=== Introduction ===
In order to protect its assets, the e-Infrastructure needs to authenticate, identify, and trace Users granted access to its Services. The authentication and identification must be sufficient to meet the requirements of the Security Policy and any ancillary Specific Policies, bearing in mind the long term nature of data stored within the e-Infrastructure and the heterogeneous authentication and identification capabilities provided by the Virtual Organisations (VOs) in verifying user data.


In order to protect its assets, the IT Infrastructure needs to authenticate, identify, and trace Users to which is grant authorization to access Services. The authentication and identification must be sufficient to meet the requirements of the Security Policy and any ancillary Specific Policies, bearing in mind the long term nature of data stored within the IT Infrastructure and the heterogeneous authentication and identification capabilities provided by the Virtual Organisations (VOs) in verifying user data.
== Interoperable Global Trust Federation (IGTF) ==


=== Interoperable Global Trust Federation (IGTF) ===
The e-Infrastructure endorses the work of the Interoperable Global Trust Federation (IGTF) as a body to establish common policies and guidelines that help establish interoperable, global trust relations between providers of e-Infrastructures and cyber-infrastructures, identity providers, and other qualified relying parties, for the definition of authentication assurance profiles, operational requirements for authentication services, and the accreditation of Issuing Authorities. The e-Infrastructure MAY participate in the accreditation standards process of the IGTF through formal membership of the IGTF member Policy Management Authorities.


The IT Infrastructure endorses the work of the Interoperable Global Trust Federation  (IGTF) as a body to establish common policies and guidelines that help establish interoperable, global trust relations between providers of e-Infrastructures and cyber-infrastructures, identity providers, and other qualified relying parties, for the definition of authentication assurance profiles, operational requirements for authentication services, and the accreditation of Issuing Authorities. The IT Infrastructure MAY participate in the accreditation standards process of the IGTF through formal membership of the IGTF member Policy Management Authorities.
== Definition of approved authentication assurance sources ==


=== Definition of approved authentication assurance sources ===
Authentication and identification is considered adequate if the combined assurance level provided by the Issuing Authority, the e-Infrastructure registration service, and the VO registration service, for each User authorised to access Services, meets or exceeds the requirements of the following approved IGTF authentication assurance profiles:
 
Authentication and identification is considered adequate if the collective assurance level provided by the IGTF accredited Issuing Authority, the IT Infrastructure registration service, and the VO registration service, for each User authorized to access Services, meets or exceeds the requirements of the following approved IGTF authentication assurance profiles:


a) IGTF Assurance Profile ASPEN (urn:oid:1.2.840.113612.5.2.5.1)
a) IGTF Assurance Profile ASPEN (urn:oid:1.2.840.113612.5.2.5.1)
Line 25: Line 23:
c) IGTF Assurance Profile CEDAR (urn:oid:1.2.840.113612.5.2.5.3)
c) IGTF Assurance Profile CEDAR (urn:oid:1.2.840.113612.5.2.5.3)


Unless for each authorized User either the VO or an IT Infrastructure registration service can demonstrate that it meets one of the approved assurance profiles, it is required that the IGTF accredited Issuing Authority provides this level of assurance.
Unless either the VO or e-infrastructure registration service can demonstrate that - for the Users it authorises to use Services - it meets one of the approved assurance profiles, the IGTF accredited issuing authority MUST provide this level of assurance.
If the specific VO and/or IT Infrastructure registration service meet or exceed the approved authentication assurance profiles, an IGTF accredited Issuing Authority meeting the IGTF Assurance Profile DOGWOOD (urn:oid:1.2.840.113612.5.2.5.4) is considered adequate when used solely in combination with said VO or IT Infrastructure registration service.
For credentials issued in the form of PKI certificates, the IT Infrastructure requires compliance with the IGTF PKI Technology Guidelines.
The IT Infrastructure management MAY incidentally approve other Issuing Authorities. These SHOULD normally be temporary, pending IGTF accreditation. Credentials issued by authorities other than those listed above are not approved.


Footnotes:
If either the specific VO registration service or the e-Infrastructure registration service meets or exceeds the approved authentication assurance profiles, an IGTF accredited Issuing Authority meeting the IGTF Assurance Profile DOGWOOD (urn:oid:1.2.840.113612.5.2.5.4) is considered adequate when used solely in combination with said VO or e-Infrastructure registration service.


1) http://www.igtf.net/
For credentials issued in the form of PKI certificates, the e-Infrastructure requires compliance with the IGTF PKI Technology Guidelines.  
2) https://www.igtf.net/ap/authn-assurance/
3) https://www.igtf.net/guidelines/pkitech/
4) In the PKI Technology Rendering, the IT Infrastructure thus approves the IGTF SLCS, MICS, and Classic APs for general use, and the IGTF IOTA AP for use in combination with VO or IT infrastructure registration services that themselves meet the IGTF ASPEN, BIRCH or CEDAR assurance profiles.


The e-Infrastructure management MAY incidentally approve other Issuing Authorities. These SHOULD normally be temporary, pending IGTF accreditation. Credentials issued by authorities other than those listed above are not approved.


=== Operational matters ===
== Operational matters ==


The IT Infrastructure deployment team SHALL maintain its own repository containing the trust anchors of all approved Issuing Authorities (see section 3), synchronised promptly with each IGTF trust anchor release.
The e-Infrastructure deployment team SHALL maintain its own repository containing the trust anchors of all approved Issuing Authorities (see section 1.3), synchronised promptly with each IGTF trust anchor release.
All IT Infrastructure resources SHOULD promptly install the full list of approved trust anchors from the repository as packaged, updated and announced from time to time by the deployment team. Decisions not to install or to subsequently remove a trust anchor from an approved Issuing Authority MUST be communicated immediately to the IT Security Officer.
All e-Infrastructure resources SHOULD promptly install the full list of approved trust anchors from the repository as packaged, updated and announced from time to time by the deployment team. Decisions not to install or to subsequently remove a trust anchor from an approved Issuing Authority MUST be communicated immediately to the e-Infrastructure Security Officer.
Individual resources MAY deploy other non-approved trust anchors for their own local use, providing this is allowed by their local policy and that they take care of the potential problems arising from e.g. non-uniqueness of user subject names.
Individual resources MAY deploy other non-approved trust anchors for their own local use, providing this is allowed by their local policy and that they take care of the potential problems arising from e.g. non-uniqueness of user subject names.
== More-specific policies ==
For specific cases, a risk evaluation and assessment having been completed, different authentication assurance policies may apply. The e-Infrastructure shall maintain a registry of such specific policies and their area of applicability.
== References ==
[R1]  https://documents.egi.eu/document/83
[R2]  Approved EGI Security Policies. https://wiki.egi.eu/wiki/SPG:Documents
[R3]  EGI Glossary. https://wiki.egi.eu/wiki/Glossary_V1
SPG Security Policy Glossary of Terms. https://documents.egi.eu/document/71
1) http://www.igtf.net/
2) https://www.igtf.net/ap/authn-assurance/
3) https://www.igtf.net/guidelines/pkitech/
4) In the PKI Technology Rendering, the e-Infrastructure thus approves the IGTF SLCS, MICS, and Classic APs for general use, and the IGTF IOTA AP for use in combination with VO or e-Infrastructure registration services that themselves meet the IGTF ASPEN, BIRCH or CEDAR assurance profiles.

Latest revision as of 01:11, 20 October 2016

Policy on Acceptable Authentication Assurance

This policy is effective from <DATE> and replaces the earlier policy "Approval of Certification Authorities" [R1]. This policy is one of a set of documents that together define the Security Policy [R2]. This individual document must be considered in conjunction with all the policy documents in the set.

All terms are defined in the Glossary [R3].

Introduction

In order to protect its assets, the e-Infrastructure needs to authenticate, identify, and trace Users granted access to its Services. The authentication and identification must be sufficient to meet the requirements of the Security Policy and any ancillary Specific Policies, bearing in mind the long term nature of data stored within the e-Infrastructure and the heterogeneous authentication and identification capabilities provided by the Virtual Organisations (VOs) in verifying user data.

Interoperable Global Trust Federation (IGTF)

The e-Infrastructure endorses the work of the Interoperable Global Trust Federation (IGTF) as a body to establish common policies and guidelines that help establish interoperable, global trust relations between providers of e-Infrastructures and cyber-infrastructures, identity providers, and other qualified relying parties, for the definition of authentication assurance profiles, operational requirements for authentication services, and the accreditation of Issuing Authorities. The e-Infrastructure MAY participate in the accreditation standards process of the IGTF through formal membership of the IGTF member Policy Management Authorities.

Definition of approved authentication assurance sources

Authentication and identification is considered adequate if the combined assurance level provided by the Issuing Authority, the e-Infrastructure registration service, and the VO registration service, for each User authorised to access Services, meets or exceeds the requirements of the following approved IGTF authentication assurance profiles:

a) IGTF Assurance Profile ASPEN (urn:oid:1.2.840.113612.5.2.5.1)

b) IGTF Assurance Profile BIRCH (urn:oid:1.2.840.113612.5.2.5.2)

c) IGTF Assurance Profile CEDAR (urn:oid:1.2.840.113612.5.2.5.3)

Unless either the VO or e-infrastructure registration service can demonstrate that - for the Users it authorises to use Services - it meets one of the approved assurance profiles, the IGTF accredited issuing authority MUST provide this level of assurance.

If either the specific VO registration service or the e-Infrastructure registration service meets or exceeds the approved authentication assurance profiles, an IGTF accredited Issuing Authority meeting the IGTF Assurance Profile DOGWOOD (urn:oid:1.2.840.113612.5.2.5.4) is considered adequate when used solely in combination with said VO or e-Infrastructure registration service.

For credentials issued in the form of PKI certificates, the e-Infrastructure requires compliance with the IGTF PKI Technology Guidelines.

The e-Infrastructure management MAY incidentally approve other Issuing Authorities. These SHOULD normally be temporary, pending IGTF accreditation. Credentials issued by authorities other than those listed above are not approved.

Operational matters

The e-Infrastructure deployment team SHALL maintain its own repository containing the trust anchors of all approved Issuing Authorities (see section 1.3), synchronised promptly with each IGTF trust anchor release. All e-Infrastructure resources SHOULD promptly install the full list of approved trust anchors from the repository as packaged, updated and announced from time to time by the deployment team. Decisions not to install or to subsequently remove a trust anchor from an approved Issuing Authority MUST be communicated immediately to the e-Infrastructure Security Officer. Individual resources MAY deploy other non-approved trust anchors for their own local use, providing this is allowed by their local policy and that they take care of the potential problems arising from e.g. non-uniqueness of user subject names.

More-specific policies

For specific cases, a risk evaluation and assessment having been completed, different authentication assurance policies may apply. The e-Infrastructure shall maintain a registry of such specific policies and their area of applicability.


References

[R1] https://documents.egi.eu/document/83 [R2] Approved EGI Security Policies. https://wiki.egi.eu/wiki/SPG:Documents [R3] EGI Glossary. https://wiki.egi.eu/wiki/Glossary_V1 SPG Security Policy Glossary of Terms. https://documents.egi.eu/document/71

1) http://www.igtf.net/
2) https://www.igtf.net/ap/authn-assurance/
3) https://www.igtf.net/guidelines/pkitech/
4) In the PKI Technology Rendering, the e-Infrastructure thus approves the IGTF SLCS, MICS, and Classic APs for general use, and the IGTF IOTA AP for use in combination with VO or e-Infrastructure registration services that themselves meet the IGTF ASPEN, BIRCH or CEDAR assurance profiles.