Difference between revisions of "SPG:Drafts:Assessment Community IDvetting adequacy"

From EGIWiki
Jump to: navigation, search
Line 1: Line 1:
 
'''Draft Procedure - Assessment of the Adequacy of Community ID vetting'''
 
'''Draft Procedure - Assessment of the Adequacy of Community ID vetting'''
  
From the security policy on Acceptable Authentication Assurance,
+
Authentication and identification is considered adequate, for each User authorised to access Services, if the combined assurance level provided by the end-user credential issuing authority, the e-Infrastructure registration service, and the VO registration service meets or exceeds the requirements of the approved IGTF authentication assurance profiles [AAP].
  
Authentication and identification is considered adequate if the combined assurance level provided by the Issuing Authority, the e-Infrastructure registration service, and the VO registration service, for each User authorised to access Services, meets or exceeds the requirements of the following approved IGTF authentication assurance profiles [R5]:
+
The VO or e-Infrastructure wishing to prove the adequacy of its identity vetting, in order to use its members' credentials in conjunction with the IGTF Assurance Profile DOGWOOD, must submit a request for assessment by the EGI Security Policy Group.
  
a) IGTF Assurance Profile ASPEN (urn:oid:1.2.840.113612.5.2.5.1)
+
The EGI SPG shall advise the EGI Operations Management Board with respect to suitability of the VO or e-Infrastructure for such combined adequacy in accordance with the Policy on Acceptable Authentication Assurance.
  
b) IGTF Assurance Profile BIRCH (urn:oid:1.2.840.113612.5.2.5.2)
+
The advise shall be based on the assessment of the following submitted information:
  
c) IGTF Assurance Profile CEDAR (urn:oid:1.2.840.113612.5.2.5.3)
+
* their compliance with the Community Membership Policy
 
+
* documented description of the membership life cycle process and practices meeting the requirements of the IGTF ASPEN, BIRCH, or CEDAR assurance level, where
Unless either the VO or e-infrastructure registration service can demonstrate that - for the Users it authorises to use Services - it meets one of the approved assurance profiles, the IGTF accredited issuing authority MUST provide this level of assurance.
+
** the membership registration data and issued assertions constitute the credential of the user
 
+
** where the identifier is obtained from a DOGWOOD user credential, the membership registration data should maintain a persistent unique mapping to an appropriate representation of the real name of the user, and this name should be released where technically feasible
If either the specific VO registration service or the e-Infrastructure registration service meets or exceeds the approved authentication assurance profiles, an IGTF accredited Issuing Authority meeting the IGTF Assurance Profile DOGWOOD (urn:oid:1.2.840.113612.5.2.5.4) is considered adequate when used solely in combination with said VO or e-Infrastructure registration service.
+
** the Issuing Authority corresponds to the collection of membership management and assertion-issuing systems and services

Revision as of 11:21, 9 June 2017

Draft Procedure - Assessment of the Adequacy of Community ID vetting

Authentication and identification is considered adequate, for each User authorised to access Services, if the combined assurance level provided by the end-user credential issuing authority, the e-Infrastructure registration service, and the VO registration service meets or exceeds the requirements of the approved IGTF authentication assurance profiles [AAP].

The VO or e-Infrastructure wishing to prove the adequacy of its identity vetting, in order to use its members' credentials in conjunction with the IGTF Assurance Profile DOGWOOD, must submit a request for assessment by the EGI Security Policy Group.

The EGI SPG shall advise the EGI Operations Management Board with respect to suitability of the VO or e-Infrastructure for such combined adequacy in accordance with the Policy on Acceptable Authentication Assurance.

The advise shall be based on the assessment of the following submitted information:

  • their compliance with the Community Membership Policy
  • documented description of the membership life cycle process and practices meeting the requirements of the IGTF ASPEN, BIRCH, or CEDAR assurance level, where
    • the membership registration data and issued assertions constitute the credential of the user
    • where the identifier is obtained from a DOGWOOD user credential, the membership registration data should maintain a persistent unique mapping to an appropriate representation of the real name of the user, and this name should be released where technically feasible
    • the Issuing Authority corresponds to the collection of membership management and assertion-issuing systems and services