[WG-IDAssurance] Reminder: IAWG Telecon Tues 16 March 2011 08:00PST / 11:00 EST / 15:00 UTC
atick10 at me.com
Wed Mar 30 03:39:03 EDT 2011
I'd like to attach 2 things to your agenda for the benefit of the group.
First is the link to the FAQs work-in-progress on the wiki.
And the second is some language that the ARB has asked to be cascaded to the IAWG for review and consideration. It was drafted by Richard Wilsher. Richard Trevorah was in attendance on the call, and I expect both of them to be on our telecon tomorrow to stand this up for discussion.
For the record: This is a pro bono submission from Zygma, made with the intention of resolving concerns expressed by Mark Coderre, Aetna, regarding the specification of a discrete time period after which inactive credentials should be disabled.
Following last week’s meeting and subsequent 1-1 discussion between myself and each of Mark and Joni, I believe that the criterion in question is:
“AL2_CM_CSM#050 Inactive Credentials
Disable any credential that has not been successfully used for authentication during a period of 18 months.”
(and repeated at AL3 and AL4 without any change in rigor).
As I understand things, Mark’s concern is that this specific time period may not suit all businesses and gave a specific case where, in Aetna’s operations, a subject who doesn’t use their credential for an extended period is probably good news in that they are in good health and not in need of Aetna’s administrations.
I think I suggested that we throw this over the wall to the IAWG, but before we do that, here’s some further thoughts. This criterion (as are they all) is intended to be conformed-to by the CSP. Mark’s concerns arise (if I’ve really got this right) as a Relying Party, needing to have assurance that the credential now being offered (by Aetna’s customer) to gain access to their customer data remains valid. The requirement for disabling the credential is therefore driven not by the CSP itself but by its client (which I assume to be Aetna acting as the Subscriber (sponsor) for its customer’s credential). If the CSP is dedicated to serving only Aetna’s needs then this conundrum is not too difficult to resolve, but if a CSP is providing services to many entities then this criterion needs to have a default OR an alternative value agreed with its client(s), i.e. the CSP will be managing (potentially) multiple ‘expiration periods’. That is much tougher to audit, and for that matter to manage (from the CSP’s perspective).
If it were an ‘in-house’ or dedicated CSP my suggestion for a change to this criterion (which I suggest can flow upwards with no need for revision) would be:
“Based on a consideration of business requirements and associated risk assessment, specify a period of time beyond which any credential that has not been successfully used for authentication during the intervening period shall be disabled.
However, given the broader concept, I’ll offer:
“Disable any credential that has not been successfully used for authentication during a specified period, that period being determined by one of the following:
a) a consideration of business requirements and associated risk assessment;
b) an explicit statement required by the Subscriber and recorded in the SLA;
c) otherwise by default, 18 months.
Guidance: It is generally not advisable or desirable to allow inactive credentials to persist beyond a reasonable period of time, although business use may dictate that that be longer in some instances than others, in which case there should be in place either a supporting risk assessment which allows management to balance the benefit of a credential’s longevity against potential risk in an extended period where it is unused or a specific SLA clause agreed with the Subscriber for the credential. ”
I therefore submit for your consideration the latter text. I’m also wondering what other situations there might be where a similar situation exists –
Finally, I cross-checked with the 2008-11 mapping of the IAF and 800-63, and CSM#050 is recorded as ‘No equivalent requirement identified’. That doesn’t mean to say that a revised -63 wouldn’t address it, and although I worked from a 2008-02 draft I have reviewed the latest published version (2008-12) and I have found nothing to suggest that my finding at the time would not remain accurate today.
—> Anna Ticktin
Technical Program Coordinator
anna at kantarainitiative.org
anna at ieee-isto.org
On 29Mar2011, at 6:37 PM, Frazier-McElveen, Myisha wrote:
> Please note the following agenda items for tomorrow's IAWG telecom. Should there be any further suggestions, please submit them in advance to the list.
> DATE: Wednesday 23 March 2011
> TIME: 08:00 PST / 11:00 EST / 15:00 UTC
> DIAL IN INFORMATION:
> Skype: +9900827044630912
> US Dial-In: 1-201-793-9022
> Room Code: 4630912
> Roll Call
> Reminder of Motion of Minutes Approval: 23 March 2011
> Agenda Confirmation
> Administrative Announcements: Updates to the IAF
> Action Item Review:
> ACTION ITEM 20110316-Myisha : will circulate a starter list of FAQs for the IAWG to provide feedback. Progressed.
> ACTION ITEM 20110316-02 Anna : will coordinate that feedback and expand it to the IAWG wiki space for practical application. Pending IAWG responses to action 20110316-01.
> ACTION ITEM 20110323-01 John Bradley---will send info of pay pal use case to the group.
> ACTION ITEM 20110323-02 Bill Braithwaite---will send use cases to the list that include two different types of interaction with the CSP; one where the RP provides the attributes and asks for verification of identity, the other where the RP is asking for attributes about an identity that it does not already have.
> ACTION ITEM 20110323-03 Anna — will parse responses from email thread into the comment form / wiki as members provide their feedback.
> RP GUIDELINES: USE CASES AND SCOPE DISCUSSION
> FEEDBACK MATRIX
> Myisha Frazier-McElveen
> Identity Management Practice Manager
> 13873 Park Center Road
> Herndon, VA 20171
> (O) 703-766-6203
> (M) 240-751-7780
> WG-IDAssurance mailing list
> WG-IDAssurance at kantarainitiative.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the WG-IDAssurance