1 / 10

InCommon Participant Operating Practices: Friend or Foe?

InCommon Participant Operating Practices: Friend or Foe?. InCommon CAMP 21 June 2010 Paul Caskey, U.T. System. Agenda. Introducing the InCommon POP document Why is the POP Important? Examples of POPs Why might the POP be inappropriate? Introducing “Level of Assurance” (LoA)

kalila
Download Presentation

InCommon Participant Operating Practices: Friend or Foe?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. InCommon Participant Operating Practices: Friend or Foe? InCommon CAMP 21 June 2010 Paul Caskey, U.T. System

  2. Agenda • Introducing the InCommon POP document • Why is the POP Important? • Examples of POPs • Why might the POP be inappropriate? • Introducing “Level of Assurance” (LoA) • InCommon assurance framework and profiles • Issues/Questions/Discussion…

  3. Introducing the InCommon POP Document • What is it? • Am I required to have a POP? • What goes into the POP? • Who writes it? • Who looks at it? • Does anyone ever check its accuracy? • How do you change it?

  4. Why is the POP Important? • *YOU* are now part of my identity mgmt system and I need to know what types of risk that entails • The foundation of trust is understanding how those you rely on manage identities – the POP is how you achieve that • The “high-value transaction“… • Helps you to identify weaknesses in your process • Helps auditors measure your performance

  5. Example of POPs • The InCommon "starter" document • http://www.incommonfederation.org/docs/policies/incommonpop_20080208.html • Institutional: • Many are there, but only InCommon registered contacts can see the URLs – some campuses feel this is sensitive information. • https://wiki.cac.washington.edu/display/infra/Shibboleth+for+UW+Web+Applications • http://its.lafayette.edu/about/policies/InCommonPoP • http://www.cit.cornell.edu/identity/InCommon.html • System-based: • UT System: https://idm.utsystem.edu/utfed/MemberOperatingPractices.pdf • Federation-based: • U.K. Federation: http://www.ukfederation.org.uk/content/Documents/FedDocs

  6. Why might the POP be inappropriate? • Some are inclined to “hide” them (or URLs get changed) • Strong desire to “make it look good” or “how we plan on things working” • Can be speculative in terms of how things really work • POPs can become stale (practices/technologies change) • POPs are rarely/never verified (the “A” word…) • So, there needs to be some “teeth” in the operating practices to promote trust among participants……..

  7. Introducing “Level of Assurance” (LoA)… • What is LoA? • What is LoA NOT? • Why is it stronger than a POP? • Who gets to set the standards? • Examples of LoA • How is the required level determined? • How is it used?

  8. The InCommon Assurance Framework • What's an IAP? • Background • How are they used? • Bronze (http://www.incommonfederation.org/docs/assurance/InC_Bronze-Silver_IAP_1.0.1.pdf) • Silver (same URL as above) • How to get started?

  9. Issues/Questions/Discussion… • Organization-based versus subject-based? (the "exception process") • What infrastructure is needed to implement higher LoAs? • Is LoA determined only at credentialing time or should there be a run-time component? • What about remote password resets? • How urgent is LoA?

  10. Thank You! Contact Information:Paul Caskey (pcaskey@utsystem.edu)

More Related