...
https://docs.google.com/document/d/1ODfru_zjQHQp57MxE1PCZh7lafw57OCiM1fgejx4EbI/edit#
Discussion
AEGIS review comments
What if there are user that use identity providers that do not support R&S? | R&S is just a way to assert the unique value for the ID component. When you do not have an assertion of the Id component, you can use R&S if you have it, if you do not you can use the im_a_person and contacts compensatory controls. |
| What if the external identity provider is a social media IdP? Is it still possible to achieve a minimal assurance profile? | One of the purpose of this document, along with AARC-G021 and AARC-G041, is exactly to allow Identity Providers outside of eduGAIN to be able to achieve at least level of low. |
| Affiliation can only mean that this identity has a meaning for this community. Do we really want to have the affiliation as part of the users' identity? | The document is agnostic toward the expression or not of affiliation information. |
| What if something like eIDAS is used in the future? We need to leave a window open for such identity sources, which might not signal the expected RAF values but we know they are good | Yes. While the current document is not making compulsory to use RAF or the suggested compensatory controls, we better highlighted the fact that others assurance frameworks might be used to convey assurance information:
|
| Is the document aligned with the title which says “combined” (indicating there are at least two external IDs linked to the infrastructure ID) but the contents (compensatory controls) are applicable even if there is just one external identity | Yes, it is true. We changed the title to Guidelines for the evaluation and combination of the assurance information of external identities. |
Meetings schedule and Minutes
...