Blog post by Hannah Short (CERN)

It seems like only yesterday that the Sirtfi was published by REFEDS! It’s safe to say that the Security Incident Response Trust Framework for Federated Identity has firmly found its feet and is a fully-fledged policy toddler.

Since being released on the 14th of December 2015, 20 Federations have enabled support for Sirtfi, allowing 243 IdPs and 213 SPs to assert their compliance with the framework and publish their security contacts. That’s over 450 federated entities that can be contacted when their users or services are affected by a security incident.

In 2016, the REFEDS Sirtfi Working Group, together with the AARC Project, put together the specification for the Sirtfi Identity Assurance Certification and a first proposal of a Federated Incident Response Procedure. In parallel, the GÉANT project began coordinating an extended pilot of Sirtfi adoption, which ran into 2017.

Sirtfi is now listed by eduGAIN as a Best Current Practice and we are beginning to see the framework creeping into other policies. The latest work on the Data Protection Code of Conduct includes a requirement for Sirtfi as a mechanism for data leak notification and security incident response.

Future work in the Sirtfi WG is likely to continue in multiple directions. Firstly, to push for a method for organisations in the “long-tail-of-federations” to be able to assert Sirtfi. Additionally, to revisit the idea of an Incident Response Procedure for Federations based on feedback from Incident Simulations run by the AARC Project. However, I’ll leave this in the capable hands of the new WG Chair, Thomas Barton from Internet2 and the University of Chicago, and wait to see what happens as Sirtfi emerges from the other side of the “Terrible Twos”.