SPG:Drafts:Acceptable Authentication Assurance
Policy on Acceptable Authentication Assurance
This policy is effective from <DATE> and replaces the earlier policy "Approval of Certification Authorities" [R1]. This policy is one of a set of documents that together define the Security Policy [R2]. This individual document must be considered in conjunction with all the policy documents in the set.
All terms are defined in the Glossary [R3].
In order to protect its assets, the e-Infrastructure needs to authenticate, identify, and trace Users granted access to its Services. The authentication and identification must be sufficient to meet the requirements of the Security Policy and any ancillary Specific Policies, bearing in mind the long term nature of data stored within the e-Infrastructure and the heterogeneous authentication and identification capabilities provided by the Virtual Organisations (VOs) in verifying user data.
Interoperable Global Trust Federation (IGTF)
The e-Infrastructure endorses the work of the Interoperable Global Trust Federation (IGTF) as a body to establish common policies and guidelines that help establish interoperable, global trust relations between providers of e-Infrastructures and cyber-infrastructures, identity providers, and other qualified relying parties, for the definition of authentication assurance profiles, operational requirements for authentication services, and the accreditation of Issuing Authorities. The e-Infrastructure MAY participate in the accreditation standards process of the IGTF through formal membership of the IGTF member Policy Management Authorities.
Definition of approved authentication assurance sources
Authentication and identification is considered adequate if the combined assurance level provided by the Issuing Authority, the e-Infrastructure registration service, and the VO registration service, for each User authorised to access Services, meets or exceeds the requirements of the following approved IGTF authentication assurance profiles:
a) IGTF Assurance Profile ASPEN (urn:oid:1.2.840.113622.214.171.124.1)
b) IGTF Assurance Profile BIRCH (urn:oid:1.2.840.1136126.96.36.199.2)
c) IGTF Assurance Profile CEDAR (urn:oid:1.2.840.1136188.8.131.52.3)
Unless either the VO or e-infrastructure registration service can demonstrate that - for the Users it authorises to use Services - it meets one of the approved assurance profiles, the IGTF accredited issuing authority MUST provide this level of assurance.
If either the specific VO registration service or the e-Infrastructure registration service meets or exceeds the approved authentication assurance profiles, an IGTF accredited Issuing Authority meeting the IGTF Assurance Profile DOGWOOD (urn:oid:1.2.840.1136184.108.40.206.4) is considered adequate when used solely in combination with said VO or e-Infrastructure registration service.
For credentials issued in the form of PKI certificates, the e-Infrastructure requires compliance with the IGTF PKI Technology Guidelines.
The e-Infrastructure management MAY incidentally approve other Issuing Authorities. These SHOULD normally be temporary, pending IGTF accreditation. Credentials issued by authorities other than those listed above are not approved.
The e-Infrastructure deployment team SHALL maintain its own repository containing the trust anchors of all approved Issuing Authorities (see section 1.3), synchronised promptly with each IGTF trust anchor release. All e-Infrastructure resources SHOULD promptly install the full list of approved trust anchors from the repository as packaged, updated and announced from time to time by the deployment team. Decisions not to install or to subsequently remove a trust anchor from an approved Issuing Authority MUST be communicated immediately to the e-Infrastructure Security Officer. Individual resources MAY deploy other non-approved trust anchors for their own local use, providing this is allowed by their local policy and that they take care of the potential problems arising from e.g. non-uniqueness of user subject names.
For specific cases, a risk evaluation and assessment having been completed, different authentication assurance policies may apply. The e-Infrastructure shall maintain a registry of such specific policies and their area of applicability.
[R1] https://documents.egi.eu/document/83 [R2] Approved EGI Security Policies. https://wiki.egi.eu/wiki/SPG:Documents [R3] EGI Glossary. https://wiki.egi.eu/wiki/Glossary_V1 SPG Security Policy Glossary of Terms. https://documents.egi.eu/document/71
1) http://www.igtf.net/ 2) https://www.igtf.net/ap/authn-assurance/ 3) https://www.igtf.net/guidelines/pkitech/ 4) In the PKI Technology Rendering, the e-Infrastructure thus approves the IGTF SLCS, MICS, and Classic APs for general use, and the IGTF IOTA AP for use in combination with VO or e-Infrastructure registration services that themselves meet the IGTF ASPEN, BIRCH or CEDAR assurance profiles.