SPG:Drafts:Acceptable Authentication Assurance
Policy on Acceptable Authentication Assurance
This draft policy is currently being developed. It is an update of the old policy "Approval of Certification Authorities".
It is being updated to cover the current IGTF levels of assurance and other changes.
The original policy is available at https://documents.egi.eu/document/83
In order to protect its assets, the e-Infrastructure needs to authenticate, identify, and trace Users granted access to its Services. The authentication and identification must be sufficient to meet the requirements of the Security Policy and any ancillary Specific Policies, bearing in mind the long term nature of data stored within the e-Infrastructure and the heterogeneous authentication and identification capabilities provided by the Virtual Organisations (VOs) in verifying user data.
Interoperable Global Trust Federation (IGTF)
The e-Infrastructure endorses the work of the Interoperable Global Trust Federation (IGTF) as a body to establish common policies and guidelines that help establish interoperable, global trust relations between providers of e-Infrastructures and cyber-infrastructures, identity providers, and other qualified relying parties, for the definition of authentication assurance profiles, operational requirements for authentication services, and the accreditation of Issuing Authorities. The e-Infrastructure MAY participate in the accreditation standards process of the IGTF through formal membership of the IGTF member Policy Management Authorities.
Definition of approved authentication assurance sources
Authentication and identification is considered adequate if the combined assurance level provided by the Issuing Authority, the e-Infrastructure registration service, and the VO registration service, for each User authorised to access Services, meets or exceeds the requirements of the following approved IGTF authentication assurance profiles:
a) IGTF Assurance Profile ASPEN (urn:oid:1.2.840.113622.214.171.124.1)
b) IGTF Assurance Profile BIRCH (urn:oid:1.2.840.1136126.96.36.199.2)
c) IGTF Assurance Profile CEDAR (urn:oid:1.2.840.1136188.8.131.52.3)
Unless either the VO or e-infrastructure registration service can demonstrate that - for the Users it authorises to use Services - it meets one of the approved assurance profiles, the IGTF accredited issuing authority MUST provide this level of assurance.
If either the specific VO registration service or the e-Infrastructure registration service meets or exceeds the approved authentication assurance profiles, an IGTF accredited Issuing Authority meeting the IGTF Assurance Profile DOGWOOD (urn:oid:1.2.840.1136184.108.40.206.4) is considered adequate when used solely in combination with said VO or e-Infrastructure registration service.
For credentials issued in the form of PKI certificates, the e-Infrastructure requires compliance with the IGTF PKI Technology Guidelines.
The e-Infrastructure management MAY incidentally approve other Issuing Authorities. These SHOULD normally be temporary, pending IGTF accreditation. Credentials issued by authorities other than those listed above are not approved.
The e-Infrastructure deployment team SHALL maintain its own repository containing the trust anchors of all approved Issuing Authorities (see section 1.3), synchronised promptly with each IGTF trust anchor release. All e-Infrastructure resources SHOULD promptly install the full list of approved trust anchors from the repository as packaged, updated and announced from time to time by the deployment team. Decisions not to install or to subsequently remove a trust anchor from an approved Issuing Authority MUST be communicated immediately to the e-Infrastructure Security Officer. Individual resources MAY deploy other non-approved trust anchors for their own local use, providing this is allowed by their local policy and that they take care of the potential problems arising from e.g. non-uniqueness of user subject names.
For specific cases, a risk evaluation and assessment having been completed, different authentication assurance policies may apply. The e-Infrastructure shall maintain a registry of such specific policies and their area of applicability.
1) http://www.igtf.net/ 2) https://www.igtf.net/ap/authn-assurance/ 3) https://www.igtf.net/guidelines/pkitech/ 4) In the PKI Technology Rendering, the e-Infrastructure thus approves the IGTF SLCS, MICS, and Classic APs for general use, and the IGTF IOTA AP for use in combination with VO or e-Infrastructure registration services that themselves meet the IGTF ASPEN, BIRCH or CEDAR assurance profiles.