2008 Internet2 Spring Member Meeting
April 21, 2008
David Wasley, a member of the InCommon Technical Advisory Committee, provided an overview of the proposed InCommon Silver level of assurance.
InCommon Silver is based on the Federal eAuth level of assurance program, which will include four levels of trust. Silver is roughly equivalent to the eAuth level 2, while the original InCommon profile, now called Bronze, is equivalent to eAuth level 1. Silver provides an additional level of trust for Identity Providers that require this enhancement.
Assurance profiles provide a structured set of requirements for the management of access to general classes of resources. The draft of the Silver profile is available for review and feedback on the InC-Collaborate wiki here.
The InCommon Silver Profile assesses these policies and operations of an IdP:
Business, Policy and Operational Factors
Registration and Identity Proofing
There was some discussion in the area of identity proofing. Universities many times provide credential to students and faculty before they arrive on campus. One suggestion for that scenario is to assign those individuals a bronze or undefined level, then do more substantial identity proofing in person and reassign them to Silver, as appropriate. Another option is to implement a remote proofing process.
In terms of either in-person or remote proofing, the InCommon Silver proposal includes is a list of required information and is aligned with NIST 800-63-1 and eAuth. A Registering Authority is required to verify two forms of identification presented by an individual. This could include government-issued IDs, a credit card or proof of utility service.
The InCommon TAC's intention is to make the identity proofing requirements consistent with an institution's employment activities. For example, the hiring process must comply with federal and state requirements and would typically include checking the identification of someone being hired. The intent is to make the identity proofing similar and not create additional burdens. Many universities already do this, but may not document the process, which InCommon Silver requires.
It is possible that some individuals may be proofed at the Silver level (most employees, for example) and some at the Bronze level (prospective students, for example). In addition, some applications may not require Silver, so why put people through that process unnecessarily? A student may be Bronze, for example, until the FAFSA moves to Level 2, at which time, Silver will be required.
Digital Electronic Credential Technology
Regarding a "strong resistance to guessing shared secret," a NIST document provides a metric concerning how complicated a password must be to be prevented from being guessed. NIST provides an Excel spreadsheet that, after input of credential requirements (i.e. upper and lower case, numbers and letters, etc.), provides a numerical rating for the strength of the password.
Credential Issuance and Management
In the case of suspected credential compromise, NIST locks out accounts. Universities typically do not want to do this, so some discussion in this area is required.
Security and Management of Authentication Events
Identity Information Management
Identity Assertion and Content
Technical Environment
Implementation - Qualifying for Silver
Use of Incommon IAQs
PKI and Federation
PKI plus federation
Debbie Bucci from the National Institutes for Health was at the session. She said that NIH is working to roll out applications that they are looking to federate. For example, a Sharepoint service for public information officers is expected to go live in May. The grant community is looking to federate with NIH and there are a number of Level 2 applications being developed.
The NIH is exploring ways for faculty and other campus-based individuals who have NIH-assigned accounts to begin federating with their campus IDs. NIH is developing a way for these individuals to map their NIH accounts to their federated accounts.
The InCommon TAC encourages institutions to perform a self-assessment, based on the Silver profile. Penn State, for example, did a gap analysis, reviewing the Silver document and listing what would need to be accomplished to meet the requirements.