SPG:Drafts:Assessment Community IDvetting adequacy
Draft Procedure - Assessment of the Adequacy of Community ID vetting
Authentication and identification is considered adequate, for each User authorised to access Services, if the combined assurance level provided by the end-user credential issuing authority, and either the e-Infrastructure registration service and/or the VO registration service, meets or exceeds the requirements of the approved IGTF authentication assurance profiles [AAP].
The VO or e-Infrastructure wishing to prove the adequacy of its identity vetting, in order to use its members' credentials in conjunction with the IGTF Assurance Profile DOGWOOD, must submit a request for assessment by the EGI Security Policy Group.
The request include the following information:
- a statement of their compliance with the Community Membership Management Policy
- documented description of the membership life cycle process and practices meeting the requirements of the IGTF ASPEN, BIRCH, or CEDAR assurance level, where
- the membership registration data and issued assertions constitute the credential of the user
- where the identifier is obtained from a DOGWOOD user credential, the membership registration data should maintain a persistent unique mapping to an appropriate representation of the real name of the user, and this name should be released where technically feasible
- the collection of membership management and assertion-issuing systems and services constitutes the Issuing Authority.
- the credential life time corresponds to the re-confirmation periods as defined in the Community Membership Management Policy
Based on this information, the EGI SPG shall advise the EGI Operations Management Board with respect to suitability of the VO or e-Infrastructure for such combined adequacy in accordance with the Policy on Acceptable Authentication Assurance.
The SPG or IGTF will make available an evaluation matrix.