UCTrust Workgroup
Child pages
  • InCommon Silver Requirements

Versions Compared

Old Version 1

changes.mady.by.user user-57bf1

Saved on

compared with

New Version 2

changes.mady.by.user user-57bf1

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

4.2 SPECIFICATION OF IDENTITY ASSURANCE REQUIREMENTS
This section contains all of the normative language for the Bronze and Silver IAPs.
In the requirements that follow, indicates that the numbered section applies to the
Bronze IAP; indicates that the numbered section applies to the Silver IAP.

...

InCommon Silver Requirement

...

UCOP Process

...

4.2.1 BUSINESS, POLICY AND OPERATIONAL CRITERIA IdP Operators must have the organizational structures and processes to come into and remain in compliance with the provisions of this IAP.

...

4.2.1.1 INCOMMON PARTICIPANT
The IdPO must be an InCommon Participant in good standing in order to be considered for certification under this IAP. In this context, "good standing" means not in arrears with respect to financial obligations to InCommon nor out of compliance with other contractual obligations to InCommon.

...

4.2.2 REGISTRATION AND IDENTITY PROOFING
Identity proofing in this IAP is based on government-issued ID or public records. Verified
information is used to create a record for the Subject in the IdPO's IdMS.

...

4.2.2.1 RA AUTHENTICATION
Each RA must authenticate to the IdMS using a credential that meets or exceeds Silver
requirements. Communications between an RA and the IdMS shall be encrypted using an industry
standard protocol that also authenticates the IdMS platform.

...

4.2.2.3 REGISTRATION RECORDS
1. A record of the facts of registration shall be maintained by the IdPO.
2. The record of the facts of registration shall include:
• Identity proofing document types and issuers;
• Full name as shown on the documents;
• Date of birth;
• Current Address of Record.
3. Records also must include revocation or termination of registration.

...

4.2.2.4 IDENTITY PROOFING
Prior to this process, the Subject supplies his or her full name, date of birth, and an Address of Record to be used for communication with the Subject, and may, subject to the policy of the IdPO, also supply other identifying information. For each Subject, the full name, date of birth and Address of Record must be verified using one or more of the following methods:

...

4.2.2.4.1 Existing relationship
If the IdPO is a function of an enterprise, the identity proofing process may be able to leverage a pre-existing relationship, e.g., the Subject is an employee or student. Where some or all of the identity proofing done at the time the existing relationship
was established is comparable to that required in §4.2.2.4.2 or §4.2.2.4.3 below, those results may be relied upon for this purpose. The IdPO's Registration
Authority (RA) shall confirm that the Subject is a person with a current relationship to the organization, record the nature of that relationship and verify that the relationship is in good standing with the organization.

...

  1. Washington/Sacramento:
    • Admins in Wash/Sac do the identity proofing and make copies of the documents.
    • They send these copies along with I-9 information to BRC.
    • BRC does the PPS entry and the UCTrust certification.
  2. UC Press:
    • UC Press does the identity proofing.
    • UC Press enters I-9 information into their own payroll system and maintains the log.
    • UC Press does the logon check
    • BRC does the UCTrust certification on request from UCPress.
  3. Anywhere else:
    • Campus admin or notary does the identity proofing.
    • Notarized copies of identity proofing are sent to BRC.
    • BRC does the I-9 entry into payroll and UCTrust certification.

...

4.2.3 CREDENTIAL TECHNOLOGY
These InCommon IAPs are based on use of "shared Authentication Secret" forms of identity Credentials. If other Credentials are used to authenticate the Subject to the IdP, they must meet or exceed the effect of these requirements.

...

Previously considered "low" impact.

...

4.2.3.2 RESISTANCE TO GUESSING AUTHENTICATION SECRET
The Authentication Secret and the controls used to limit online guessing attacks shall ensure that an attack targeted against a given Subject's authentication Secret shall have a probability of success of less than 2-10(1 chance in 1,024) over the life of the Authentication Secret. This requires that an Authentication Secret be of sufficient complexity and that the number of invalid attempts to enter an Authentication Secret for a Subject be limited.
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="29e5d539-6793-4fd3-bf93-74b8aa3f3fbc"><ac:plain-text-body><![CDATA[Refer to NIST Special Publication 800-63-1 [SP 800-63], Appendix A, for a discussion of Authentication Secret complexity and resistance to online guessing.

...

4.2.4 CREDENTIAL ISSUANCE AND MANAGEMENT
The authentication Credential must be bound to the physical Subject and to the IdMS record pertaining to that Subject as described in this section.

...

Moderate level of difficulty

...

4.2.4.1 CREDENTIAL ISSUANCE
To ensure that the same Subject acts throughout the registration and Credential issuance process, the Subject shall identify himself or herself in any new transaction (beyond the first transaction or encounter) with information known only to the Subject, for example a temporary Secret which was established during a prior transaction or encounter, or sent to the Subject's Address of Record. When identifying himself or herself in person, the Subject shall do so either by using a Secret as described above, or through the use of an equivalent process that was established during a prior encounter.

...

Compliant. BRC requires subject to sign in to AD while being observed.

...

We should check to be sure that Techdesk has this policy established. Given that this is a generous amount of time to close an account, we assume compliant.

...

4.2.4.4 CREDENTIAL ISSUANCE RECORDS RETENTION
The IdPO shall maintain records of Credential issuance and revocation for a minimum of 180 days beyond the expiration of the Credential. These records must include, for each Credential issuance/revocation event, the Credential unique identifier and the time of issuance/revocation.

...

As above, logs must be kept for password re-issuance.

...

4.2.5 AUTHENTICATION PROCESS
The Subject interacts with the IdP to prove that he or she is the holder of a Credential, enabling the subsequent issuance of Assertions.

...

Low impact.

...

4.2.5.1 RESIST REPLAY ATTACK
The authentication process must ensure that it is impractical to achieve successful authentication by recording and replaying a previous authentication message.

...

Compliant

...

4.2.5.2 RESIST EAVESDROPPER ATTACK
The authentication protocol must resist an eavesdropper attack. Any eavesdropper who
records all the messages passing between a Subject and a Verifier or relying party must find that it is impractical to learn the Authentication Secret or to otherwise obtain information that would allow the eavesdropper to impersonate the Subject.

...

Complaint

...

4.2.5.3 SECURE COMMUNICATION
Industry standard cryptographic operations are required between Subject and IdP in order to ensure use of a Protected Channel to communicate.

...

Compliant. All use SSL.

...

4.2.5.4 PROOF OF POSSESSION
The authentication process shall prove the Subject has possession of the Authentication Secret or Token.

...

Compliant

...

4.2.5.5 SESSION AUTHENTICATION
If the IdP uses session-maintenance methods (such as cookies) so that after an initial authentication act new Assertions can be issued without the Subject having to re-authenticate, such methods shall use industry standard cryptographic techniques to
ensure that sessions are at least as resistant to attack as initial authentication.

...

Compliant

...

Currently compliant, but we should establish a standard reminder process.

...

4.2.6 IDENTITY INFORMATION MANAGEMENT
Subject records in the IdPO's IdMS must be managed appropriately so that Assertions
issued by the IdPO's IdP are valid.

...

Low

...

4.2.6.1 IDENTITY RECORD QUALIFICATION
If Subject records in an IdMS do not all meet the same set(s) of IAP criteria, then the IdP must have a reliable mechanism for determining which IAQ(s), if any, are associated with each record.

...

Compliant

...

4.2.7 ASSERTION CONTENT
The IdPO must have processes in place to ensure that information about a Subject's identity conveyed in an Assertion of identity to an SP is from an authoritative source.

...

Low

...

4.2.7.1 IDENTITY ATTRIBUTES
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="986a1e8b-a388-4d8d-bccf-0c9d03090ba9"><ac:plain-text-body><![CDATA[The actual meaning of any attribute values identified as attributes recommended for use by InCommon Participants should be consistent with definitions in the InCommon Attribute Summary [InC-AtSum].

...

Compliant

...

]]></ac:plain-text-body></ac:structured-macro>

...

4.2.7.2 IDENTITY ASSERTION QUALIFIER (IAQ)
An IdPO may be certified by InCommon to be able to include one or more InCommon IAQs as part of Assertions. The IdP must not include an InCommon IAQ that it has not been certified by InCommon to assert and must not include an IAQ if that
Assertion does not meet the criteria for that IAP.

...

This would be new under InCommon Silver.

...

4.2.7.3 CRYPTOGRAPHIC SECURITY
Cryptographic operations are required between an IdP and any SP. Cryptographic operations shall use industry standard cryptographic techniques.
The Assertion must be either:
• Digitally signed by the IdP; or
• Obtained by the SP directly from the trusted entity (e.g., the IdP or Attribute Service) using a Protected Channel.

...

Compliant. We use the second option, using SSL

...

4.2.8 TECHNICAL ENVIRONMENT
IdMS Operations must be managed to resist various potential threats such as unauthorized intrusions and service disruptions that might result in false Assertions of Identity or other erroneous communications.

...

We originally said this was Moderate, but I think that it is really Low. All has to do with the stability and resistance to intrusion of AD.

...

4.2.8.1 SOFTWARE MAINTENANCE
IdMS Operations shall use up-to-date supported software.

...

Compliant

...

Compliant. See answer to 4.2.3.5.

...

4.2.8.3 PHYSICAL SECURITY
IdMS Operations shall employ physical access control mechanisms to restrict access to sensitive areas, including areas such as leased space in remote data centers, to authorized personnel.

...

Compliant

...

4.2.8.4 RELIABLE OPERATIONS
IdMS Operations shall employ techniques to minimize system failures and ensure that any failures are not likely to result in inaccurate Assertions being sent to SPs.

...

Retroactive Certification

...

It was decided amongst UCTrust workgroup members that we would not include a retroactive re-certification of all subjects. I don't think UCOP would need re-certification anyway.