Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.

Difference between revisions of "SPG:Drafts:Assessment Community IDvetting adequacy"

From EGIWiki
Jump to navigation Jump to search
 
(6 intermediate revisions by the same user not shown)
Line 1: Line 1:
'''Draft Procedure - Assessment of the Adequacy of Community ID vetting'''
Authentication and identification is [https://documents.egi.eu/public/ShowDocument?docid=2930 considered adequate], for each User authorised to access Services, if the combined assurance level provided by the end-user credential issuing authority, and either the e-Infrastructure registration service and/or the Community registration service, meets or exceeds the requirements of the approved IGTF authentication assurance profiles [AAP]. This is conventionally assured through a vetting process during user credential issuance at their identity provider.


Authentication and identification is considered adequate, for each User authorised to access Services, if the combined assurance level provided by the end-user credential issuing authority, and either the e-Infrastructure registration service and/or the VO registration service, meets or exceeds the requirements of the approved IGTF authentication assurance profiles [AAP].
The Community or e-Infrastructure wishing to prove the adequacy of its identity vetting, in order to use its members' credentials in conjunction with the IGTF Assurance Profile DOGWOOD, and substantiate their compliance with the [https://igtf.net/snctfi Snctfi] membership management requirements, must submit a request for assessment by the designated Security Policy Groups (SPG) by way of Infrastructure Operations.  
 
The Community or e-Infrastructure wishing to prove the adequacy of its identity vetting, in order to use its members' credentials in conjunction with the IGTF Assurance Profile DOGWOOD, must submit a request for assessment by the EGI Security Policy Group to EGI operations.  


The request shall include the following information:  
The request shall include the following information:  
Line 9: Line 7:
*a statement of their compliance with the Community Membership Management Policy
*a statement of their compliance with the Community Membership Management Policy
*a statement of their compliance with the Community Operations Security Policy
*a statement of their compliance with the Community Operations Security Policy
*a documented description of the membership life cycle process and practices meeting the requirements of the IGTF [https://www.igtf.net/ap/authn-assurance ASPEN, BIRCH, or CEDAR assurance level], in which   
*a documented description of the membership life cycle process and practices meeting the requirements of the IGTF [https://www.igtf.net/ap/authn-assurance BIRCH, CEDAR (or ASPEN) assurance level], in which   
**the ''credential'' of the user is the membership registration data and community-issued assertions
**the ''credential'' of the user is the membership registration data and community-issued assertions
**the ''Issuing Authority'' is the collection of membership management and assertion-issuing systems and services  
**the ''Issuing Authority'' is the collection of membership management and assertion-issuing systems and services  
**the ''credential life time'' corresponds to the renewal periods as defined in the Community Membership Management Policy
**the ''credential life time'' corresponds to the renewal periods as defined in the Community Membership Management Policy
*a description of the method of binding between the membership information and the DOGWOOD user credential
*a description of the method of binding between the membership information and the DOGWOOD user credential (identifier)


Based on this information, the EGI SPG shall advise the EGI Operations Management Board with respect to suitability of the Community or e-Infrastructure for such combined adequacy in accordance with the Policy on Acceptable Authentication Assurance.  
Based on this information, the SPG shall advise the Infrastructure Operations with respect to suitability of the Community or e-Infrastructure for such combined adequacy in accordance with the Policy on Acceptable Authentication Assurance.  


The SPG may make available [https://wiki.eugridpma.org/Main/AssuranceAssessment an evaluation matrix]. Applicant communities are welcome to use the assurance evaluation matrix to prepare the requisite documents, bearing in mind the evaluation ''Method'' and the ''Persistent registry (community membership) implementation and assessment hints''. The most relevant community assurance profiles for the joint adequacy purpose are BIRCH and CEDAR.<br>
The SPG may make available [http://wiki.eugridpma.org/Main/AssuranceAssessment an evaluation matrix]. Applicant communities are welcome to use the assurance evaluation matrix to prepare the requisite documents, bearing in mind the evaluation ''Method'' and the ''Persistent registry (community membership) implementation and assessment hints''. The most relevant community assurance profiles for the joint adequacy purpose are BIRCH and CEDAR. Registries and membership services at ASPEN level are strongly discouraged. The credential (registration) life time of 11 days necessitates re-registering members with this frequency, and re-validating their eligibility. This model is likely to both confuse and upset members. <br>

Latest revision as of 17:44, 19 February 2019

Authentication and identification is considered adequate, for each User authorised to access Services, if the combined assurance level provided by the end-user credential issuing authority, and either the e-Infrastructure registration service and/or the Community registration service, meets or exceeds the requirements of the approved IGTF authentication assurance profiles [AAP]. This is conventionally assured through a vetting process during user credential issuance at their identity provider.

The Community or e-Infrastructure wishing to prove the adequacy of its identity vetting, in order to use its members' credentials in conjunction with the IGTF Assurance Profile DOGWOOD, and substantiate their compliance with the Snctfi membership management requirements, must submit a request for assessment by the designated Security Policy Groups (SPG) by way of Infrastructure Operations.

The request shall include the following information:

  • a statement of their compliance with the Community Membership Management Policy
  • a statement of their compliance with the Community Operations Security Policy
  • a documented description of the membership life cycle process and practices meeting the requirements of the IGTF BIRCH, CEDAR (or ASPEN) assurance level, in which
    • the credential of the user is the membership registration data and community-issued assertions
    • the Issuing Authority is the collection of membership management and assertion-issuing systems and services
    • the credential life time corresponds to the renewal periods as defined in the Community Membership Management Policy
  • a description of the method of binding between the membership information and the DOGWOOD user credential (identifier)

Based on this information, the SPG shall advise the Infrastructure Operations with respect to suitability of the Community or e-Infrastructure for such combined adequacy in accordance with the Policy on Acceptable Authentication Assurance.

The SPG may make available an evaluation matrix. Applicant communities are welcome to use the assurance evaluation matrix to prepare the requisite documents, bearing in mind the evaluation Method and the Persistent registry (community membership) implementation and assessment hints. The most relevant community assurance profiles for the joint adequacy purpose are BIRCH and CEDAR. Registries and membership services at ASPEN level are strongly discouraged. The credential (registration) life time of 11 days necessitates re-registering members with this frequency, and re-validating their eligibility. This model is likely to both confuse and upset members.