...
- A security incident is the act of violating an explicit or implied security policy (for example, as documented in an acceptable use policy)
- A Service Provider is expected to define and provide a service. The expected behavior of a service provider is defined by their Participant Operational Practices its service description, InCommon's Participation Agreement and the documents it references, and possibly other policies and laws. All In particular, all SPs are expected to comply with any restrictions on the use of attributes contained in the Participant Operating Practices of identity information they obtain any Identity Provider partners from which they accept identity information. Evidence of behavior by a service provider Service Provider that violates those policies is considered a security incident.
- Identity Providers are expected to represent user identities (identifiers and/or attributes) to the degree of authority and accuracy specified in their Participant Operating PracticesInCommon's Participation Agreement and the documents it references. Evidence of failure of an Identity Provider to do so, e.g. impersonation of a user by another party, is considered a security incident.
...