TFS Monthly Sync - Draft Meeting Notes
Wednesday, July 13, 2016
Scott Shorter, Kimble and Associates
Russ Weiser, Syncronoss
Paul Caskey, Incommon
LaChelle LeVan, FICAM
Richard Wilsher, Zygma
Adam Madlin, Symantec
Colin Wallis, KI
Ruth Puente, KI
- They have been working on the Multifactor Authentication Interoperability Profile, so their Federation applications can request multifactor without having to insist on a particular technology, it is working well and their community has provided good feedback. Currently the discussion has moved to an international group, REFEDS Research and Education Federations, which plans to start a public consultation period on the topic.
- Incommon Baseline Practices now includes 4 statements for Identity Providers, 5 statements for Service Providers and 4 statements for Federation Operators. The draft Baseline Expectations for Trust in Federation is open for public consultation, available at the Incommon wiki: https://spaces.internet2.edu/display/InCAssurance/Baseline+Expectations+for+Trust+in+Federation
- They have started to work with REFEDS on Assurance Framework of SIRTFI, Security Incident Response Trust Framework for Federated Identity.
Sirtfi framework document: https://refeds.org/wp-content/uploads/2016/01/Sirtfi-1.0.pdf Website: https://refeds.org/sirtfi
- Incommon has recently joined a REFEDS Working Group to study Assurance, what it means in modern terms.
- They are part of the global interfederation service eduGAIN, where Federation Operators register themselves and their metadata, and then eduGAIN combines all the national registries and republishes them in one large file.
- Security Incident Response Trust Framework for Federated Identity, SIRTFI.
- It was highlighted that it is important to set requirements for RPs to have a framework for reporting when comprise or other potential indicators of compromise take place and how to communicate that, the trust framework needs to integrate higher assurance.
- Some participants have noted that seems to be an emerging potential need for a trust framework around communications between the various parties involved, in order to mitigate the impact of security incidents.
- It was encouraged to look for evidence that some group is addressing this issue and report back in the next Sync call, as it is important to monitor the status of this space.
- NISTIR 7817 (http://nvlpubs.nist.gov/nistpubs/ir/2012/NIST.IR.7817.pdf ) discussed the concept of "credential reliability" in 2012.
Kantara IAWG Update
- IAWG is waiting for the approval of the project to map the trust framework back to the objectives, so there is a clear mapping for the criteria of what security objectives is achieving. It is useful on comparability assessments, when the company undergoing the assessment notes that they do not have a criteria as written in the trust framework but they are meeting the objectives, as the objectives are documented this request can be evaluated.
- IAWG is gathering comments on 800-63-3 within the Kantara community.
It was commented that IDESG made a mapping between IDESG's IDEF and the Kantara IAF.
- FICAM made a revision of all their existing processes, procedures, documentations assessments, information security controls, certifications, TFs, auditing processes, etc. and identified a set of items that they would like to close the gaps on. They are reviewing the findings with NIST and other primary stakeholder. The plan is to schedule a meeting later in August with the Trust Frameworks to go over the items FICAM has identified to discuss ideas on how to close the gaps.
- FICAM will discuss with the TFPs on the adoption of iGov profile.
- In relation to the shared authentication platform, they highlighted the full broker model implemented by the UK and its approach to help grow the market. The US has a much larger population and government services are covering a massive population. The broker model works well in the US. There will be third party providers in the platform, but in order to expedite the process, FICAM is evaluating if it is necessary to connect a government IdP in addition to the third parties. There is a big market, make it better for Agencies to make the choices that will help their missions, which includes more information, better information and make sure that all the gaps are closed.