The second panel at the REFEDS meeting during TechEx2016 focused on a series of global efforts to help us improve the quality of entities within federations and the trust that we place in them.
Tom Barton described the work of the InCommon Multifactor Authentication Interoperability Working Group. This group set out to develop and document requirements for creating and implementing an interoperability profile to allow the community to leverage Mutlifactor Authentication (MFA) provided by an InCommon Identity Provider by allowing SPs to rely on a standard syntax and semantics regarding MFA. One of the early findings of the group was that before an MFA profile could be developed, a common understanding of a baseline for federations was required. The group has made recommendations for two profiles – a base level for defining typical authentication within federations and a MFA profile that builds on top of this work.
This notion of baselining is being echoed elsewhere within both REFEDS and InCommon. InCommon have recently completed a consultation on a shared set of baseline expectations for federations entities and this work is being echoed in the REFEDS Assurance Working Group which is exploring a similar approach to baseline across federations.
Hannah Short gave an update on the Sirtfi framework and the current consultation on the normative documents that provide the process for implementing Sirtfi within federations. The consultation on this document is open until 28th October 2016, but early adopters such as CERN and CIlogon are pushing federation members to embrace the approach right now. An Open Space session on Sirtfi during ACAMP gave some good inputs for the consultation and saw live adoption of Sirtfi in the room – a fantastic result for both REFEDS and InCommon.
Nicole Harris and Daniela Pöhn completed the jigsaw by giving updates on the Research and Scholarship (R&S) and Code of Conduct (CoCo) entity categories. R&S has recently seen a major piece of work to produce v1.3 of the specification and improve the language and descriptions used in documentation to aid adoption. All of these changes are intended to provide clarifications to the R&S approach and help IdPs to safely release attributes to Service Providers in an automated fashion Next steps for R&S will be a version 2 that will look at taking slightly different approaches to the problem addressed by R&S based on experience to date with the work.
The Code of Conduct allows Service Providers in Europe to demonstrate that they are good citizens when it comes to data protection practices and in turn gives confidence to Identity Providers that want to release attributes to trusted parties. CoCo is currently focused on a European only approach and is undergoing a review based on the new General Data Protection Regulation. The GÉANT project hopes to also begin work on a global version of CoCo in the near future. Both Nicole and Daniela also presented this work in more detail during the main conference track at CAMP during TechEx2016.
It is hoped that these 4 approaches described in the panel will fit together to provide a coherent picture of what a “stepped-up” entity within identity federations would look like and a goal for our members to strive towards as we continue our efforts to improve and enhance trust in the community.