The Security Incident Response Trust Framework for Federated Identity (Sirtfi) aims to enable the coordination of incident response across federated organisations. This assurance framework comprises a list of assertions which an organisation can attest in order to be declared Sirtfi compliant. An official "trust mark" has been defined for SAML Service Providers and Identity Providers to allow organisations to technically advertise their adoption of the framework, and a similar approach is being planned for OpenID Federation.
Who should adopt Sirtfi and why?
Any federated organisation should adopt Sirtfi to improve their internal operational security and enable them to participate in federated security incident response. If you have not published a security contact in the identity federation then you will not be informed of any ongoing security incidents that may affect you.
How does Sirtfi fit into an AARC BPA compliant infrastructure?
In order to assert Sirtfi for your entire infrastructure it is important that you can ensure that the list of Sirtfi requirements is met for both the AAI layer and all connected services. Since Sirtfi requires that best practices in operational security are met, e.g. regular patching, it is important that a policy exists for your infrastructure to ensure that these practices are followed by each service.
How to adopt Sirtfi?
Please visit https://wiki.refeds.org/display/SIRTFI/Guide+for+Federation+Participants
Resources
- REFEDS Sirtfi public page https://refeds.org/sirtfi
- REFEDS technical Sirtfi implementation guide https://wiki.refeds.org/display/SIRTFI/SIRTFI+Home