...
--> moved to Maturity Template page
AARC
Early findings:
•Accounts belong to a known individual (i.e. no shared accounts)
•Persistent identifiers (i.e. are not re-assigned)
•Documented identity vetting (not necessarily F2F)
•Password authN (with some good practices)
•Departing user’s account closes/ePA changes promptly
•Self-assessment (supported with specific guidelines)
Questions to the floor:
•Do we want to include incident response stuff (NA3.2) here?
•Do we want to include attribute release requirements?
•Do we want to include wider information security requirements?
We develop and pilot a tool which
•Is an eduGAIN SP to which any eduGAIN IdP admin can log in
•Presents structured self-assessment questions to the IdP/IdM admin
•Quantitive: (”do accounts belong to an individual”)
•Qualitative: (”explain how you ensure accounts belong to an individual”)
•Publishes the results for anyone to read
•Evaluates if the LoA minimum is fulfilled
•Spits an Entity Category tag to eduGAIN metadata for the IdP
•Can we do that centrally?
•Asks the IdP admin to re-evaluate every year
•Can assist in the LoA peer-review
•If peer review becomes a requirement e.g. for a higher LoA level
Recommendations
SWAMID - eduID
...