SPG:Drafts:Acceptable Authentication Assurance
Policy on Acceptable Authentication Assurance
This draft policy is currently being developed. It is an update of the old policy "Approval of Certification Authorities".
It is being updated to cover the current IGTF levels of assurance and other changes.
The original policy is available at https://documents.egi.eu/document/83
In order to protect its assets, the IT Infrastructure needs to authenticate, identify, and trace Users to which is grant authorization to access Services. The authentication and identification must be sufficient to meet the requirements of the Security Policy and any ancillary Specific Policies, bearing in mind the long term nature of data stored within the IT Infrastructure and the heterogeneous authentication and identification capabilities provided by the Virtual Organisations (VOs) in verifying user data.
Interoperable Global Trust Federation (IGTF)
The IT Infrastructure endorses the work of the Interoperable Global Trust Federation (IGTF) as a body to establish common policies and guidelines that help establish interoperable, global trust relations between providers of e-Infrastructures and cyber-infrastructures, identity providers, and other qualified relying parties, for the definition of authentication assurance profiles, operational requirements for authentication services, and the accreditation of Issuing Authorities. The IT Infrastructure MAY participate in the accreditation standards process of the IGTF through formal membership of the IGTF member Policy Management Authorities.
Definition of approved authentication assurance sources
Authentication and identification is considered adequate if the collective assurance level provided by the IGTF accredited Issuing Authority, the IT Infrastructure registration service, and the VO registration service, for each User authorized to access Services, meets or exceeds the requirements of the following approved IGTF authentication assurance profiles:
a) IGTF Assurance Profile ASPEN (urn:oid:1.2.840.1136126.96.36.199.1)
b) IGTF Assurance Profile BIRCH (urn:oid:1.2.840.1136188.8.131.52.2)
c) IGTF Assurance Profile CEDAR (urn:oid:1.2.840.1136184.108.40.206.3)
Unless for each authorized User either the VO or an IT Infrastructure registration service can demonstrate that it meets one of the approved assurance profiles, it is required that the IGTF accredited Issuing Authority provides this level of assurance. If the specific VO and/or IT Infrastructure registration service meet or exceed the approved authentication assurance profiles, an IGTF accredited Issuing Authority meeting the IGTF Assurance Profile DOGWOOD (urn:oid:1.2.840.1136220.127.116.11.4) is considered adequate when used solely in combination with said VO or IT Infrastructure registration service. For credentials issued in the form of PKI certificates, the IT Infrastructure requires compliance with the IGTF PKI Technology Guidelines. The IT Infrastructure management MAY incidentally approve other Issuing Authorities. These SHOULD normally be temporary, pending IGTF accreditation. Credentials issued by authorities other than those listed above are not approved.
1) http://www.igtf.net/ 2) https://www.igtf.net/ap/authn-assurance/ 3) https://www.igtf.net/guidelines/pkitech/ 4) In the PKI Technology Rendering, the IT Infrastructure thus approves the IGTF SLCS, MICS, and Classic APs for general use, and the IGTF IOTA AP for use in combination with VO or IT infrastructure registration services that themselves meet the IGTF ASPEN, BIRCH or CEDAR assurance profiles.
The IT Infrastructure deployment team SHALL maintain its own repository containing the trust anchors of all approved Issuing Authorities (see section 3), synchronised promptly with each IGTF trust anchor release. All IT Infrastructure resources SHOULD promptly install the full list of approved trust anchors from the repository as packaged, updated and announced from time to time by the deployment team. Decisions not to install or to subsequently remove a trust anchor from an approved Issuing Authority MUST be communicated immediately to the IT Security Officer. Individual resources MAY deploy other non-approved trust anchors for their own local use, providing this is allowed by their local policy and that they take care of the potential problems arising from e.g. non-uniqueness of user subject names.