AuEduPerson Schema Schema Derived from: - eduPerson - person [RFC 4517, RFC 4519] - organizationalPerson [RFC 4517, RFC 4519] - inetOrgPerson [RFC 2798]

Slides:

Advertisements

Similar presentations

PKI Strategy PKI Requirements Standard –Based on e-MARC or other Certificate Policy Statements –Specify key aspects that must be met by CA Cert format.

Advertisements

PKI and LOA Establishing a Basis for Trust David L. Wasley PKI Deployment Forum April 2008.

Appropriate Access InCommon Identity Assurance Profiles David L. Wasley Campus Architecture and Middleware Planning workshop February 2008.

Overview of US Federal Identity Management Initiatives Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority and Asst. CIO E-Authentication, NIH.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Digital Certificate Installation & User Guide For Class-2 Certificates.

X509-bindings-profiles-sep061 Bindings and Profiles for Attribute-based Authz in the Grid Tom Scavo NCSA.

ANSI/ASQ E Overview Gary L. Johnson U.S. EPA

FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.

Updates Licia Florio, TERENA REFEDS Meeting 5 Sept 2012.

1 WebTrust for Certification Authorities (CAs) Overview October 2011 WebTrust for Certification Authorities (CAs) Overview October 2011 Presentation based.

Council of Australian University Directors of Information Technology Promoting and advancing the use and support of information technology in higher education.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Update on federations, PKI, and federated PKI for US feds and higher eds Tom Barton University of Chicago.

PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.

Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.

Federal Information Processing Standard (FIPS) 201, Personal Identity Verification for Federal Employees and Contractors Tim Polk May.

EDUCAUSE Fed/Higher ED PKI Coordination Meeting

Innovation through participation eduGAIN federation operator training eduGAIN policy eduGAIN training in Vienna Oct 2011

Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.

Intra-ASEAN Secure Transactions Framework Project Progress Report

By Garland Land NAPHSIS Consultant. Importance of Birth Certificates Needed for: Social Security Card School Enrollment Driver’s License Passport.

Federal Requirements for Credential Assessments Renee Shuey ITS – Penn State February 6, 2007.

Policy, Trust and Technology Mitigating Risk in the Digital World David L. Wasley Camp 2006 © David L. Wasley, 2006.

Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.

Security Incident Response Trust Framework for Federated Identity (Sir-T-Fi) David Kelsey (STFC-RAL) REFEDS, Indianapolis 26 Oct 2014 and now abbreviated.

Functional Model Workstream 1: Functional Element Development.

Trust and Security for FIM (Sirtfi/SCI) David Kelsey (STFC-RAL) FIM4R at CERN 4 Feb 2015.

Electronic Submission of Medical Documentation (esMD) Digital Signature and Author of Record Pre-Discovery Wednesday May 9,

David L. Wasley Office of the President University of California Higher Ed PKI Certificate Policy David L. Wasley University of California I2 Middleware.

Csci5233 Computer Security1 Bishop: Chapter 14 Representing Identity.

Sirtfi David Kelsey (STFC-RAL) REFEDS at TNC15 14 June 2015.

DICOM Security Lawrence Tarbox, Ph.D. Chair, WG 14 Mallinckrodt Institute of Radiology Washington University in St. Louis School of Medicine.

IDENTITY ASSURANCE PROFILES AND FRAMEWORK DOCUMENTS: PEEK INTO PROPOSED FICAM CHANGES 12/12/12 1.

Australian Access Federation and other Middleware Initiatives Presented at TF-EMC2, Prague 4 Sep 2007 Patty McMillan, The University of Queensland.

+1 (801) Standards for Registration Practices Statements IGTF Considerations.

Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian.

1 EAP and EAI Alignment: FiXs Pilot Project December 14, 2005 David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.

ITU-T X.1254 | ISO/IEC An Overview of the Entity Authentication Assurance Framework.

Ning Zhang, the University of Manchester, UK David Groep, National Institute for Nuclear and High Energy Physics, NL Blair Dillaway, OGF Security Area.

A Brief Overview of draft-ietf-sidr-cp-01.txt draft-ietf-sidr-cps-rirs-01.txt draft-ietf-sidr-cps-isp-00.txt Steve Kent BBN Technologies.

Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian

SAML in Authorization Policies draft-guenther-geopriv-saml-policy-00.

Shibboleth at Columbia Update David Millman R&D July ’05

Credentialing in Higher Education Michael R Gettes Duke University CAMP, June 2005, Denver Michael R Gettes Duke University

INTRODUCTION: THE FIRST TRY InCommon eduGAIN Policy and Community Working Group.

E-Authentication Overview & Technical Approach Scott Lowery Technical Track Session.

“Trust me …” Policy and Practices in PKI David L. Wasley Fall 2006 PKI Workshop.

1 Federal Identity Management Initiatives Federal Identity Management Initatives David Temoshok Director, Identity Policy and Management GSA Office of.

The UK Access Management Federation John Chapman Project Adviser – Becta.

HEBCA – The Operating Authority July 2005 Dartmouth PKI Summit.

SonOf3039 Status Russ Housley Security Area Director.

Wed 24 Mar 2010SIDR IETF 77 Anaheim, CA1 SIDR Working Group IETF 77 Anaheim, CA Wednesday, Mar 24, 2010.

Electronic Security and PKI Richard Guida Chair, Federal PKI Steering Committee Chief Information Officers Council

DICOM Security Andrei Leontiev, Dynamic Imaging Presentation prepared by: Lawrence Tarbox, Ph.D. Chair, WG 14 Mallinckrodt Institute of Radiology Washington.

Csci5233 Computer Security1 Bishop: Chapter 14 Representing Identity.

OGSA Attributes: Requirements, Definitions, and SAML Profile Abstract This document specifies elements and vocabulary for expressing attribute assertions.

Workshop on Security for Web Services. Amsterdam, April 2010 Applying SAML to Identity Data Exchange.

The Federal E-Authentication Initiative David Temoshok Director, Identity Policy GSA Office of Governmentwide Policy February 12, 2004 The E-Authentication.

E-Authentication Guidance Jeanette Thornton, Office of Management and Budget “Getting to Green with E-Authentication” February 3, 2004 Executive Session.

EAuthentication – Update on Federal Initiative Jacqueline Craig IR&C September 27, 2005.

Security Incident Response Trust Framework for Federated Identity (Sir-T-Fi) David Kelsey (STFC-RAL) REFEDS, Indianapolis 26 Oct 2014.

TF-EMC2 meeting Mikael Linden,

GakuNin: Federated Identity Management Activities in Japan

NAAS 2.0 Features and Enhancements

EDUCAUSE Fed/Higher ED PKI Coordination Meeting

Technical Approach Chris Louden Enspier

Federal Requirements for Credential Assessments

Supporting communities with harmonized policy

Appropriate Access InCommon Identity Assurance Profiles

Presentation transcript:

auEduPerson Schema Schema Derived from: - eduPerson - person [RFC 4517, RFC 4519] - organizationalPerson [RFC 4517, RFC 4519] - inetOrgPerson [RFC 2798] - schac - auEduPerson-specific See (Sep-09): uPerson_attribute_vocabulary_v pdf?version=1 uPerson_attribute_vocabulary_v pdf?version=1 REFEDS: 21-Oct-09 1 Alex Reid, AAF & AARNet

auEduPerson Schema Standard Vocabulary: auEduPersonAffiliation auEduPerson auEduPersonLegalName auEduPerson auEduPersonSharedTokenauEduPerson eduPersonAffiliation eduPerson eduPersonAssurance eduPerson cn person eduPersonPrimaryAffiliation eduPerson eduPersonPrincipalName eduPerson eduPersonScopedAffiliation eduPerson eduPersonTargetedID eduPerson givenName inetOrgPerson mail inetOrgPerson mobile inetOrgPerson o inetOrgPerson postalAddress organizationalPerson preferredLanguage inetOrgPerson schacGenderschac schacPersonalTitle schac schacPersonalUniqueCode schac schacUserPresenceID schac sn person telephoneNumber person userCertificate inetOrgPerson userSMIMECertificate inetOrgPerson REFEDS: 21-Oct-09 2 Alex Reid, AAF & AARNet

auEduPerson Schema Levels of Assurance Attributes Guided by: 1.NeAF: Australian National e-Authentication Framework 2.Liberty Alliance: Identity Assurance Framework v1.1 3.NIST: SP800 63V1_0_2 NIST chosen to align with, as it is the most widely used. However, it is not as definitive as desired, so reference is made to the LA Framework (which has more useful detail, but is subject to review at present). NeAF is still at a formative stage (but provides useful guidance on undertaking a risk assessment analysis). NeAF and LA/Kantara will be kept under review. Two dimensions of LoA are defined: - Identity (or Registration) LoA: levels 1 to 4: eduPersonAssurance - Authentication LoA: levels 1 to 4: SAML AuthenticationMethod REFEDS: 21-Oct-09 3 Alex Reid, AAF & AARNet

auEduPerson Schema eduPersonAssurance (Identity or Registration LoA): 1= no identity proofing (but some assurance that this is the same person) 2= possession of some government-issued identity documents 3= detailed verification of valid government-issued picture Id required 4= in-person verification against government-issued picture Id SAML AuthenticationMethod (Authentication LoA): 1= simple passwords 2= password verified through a secure authentication protocol 3= 2-factor authentication through a cryptographic protocol 4= as for 3 but only hard cryptographic tokens allowed NOTE: the above summaries are very much simplified – see Schema document or LA Framework for details (especially as they relate to the difference between in-person & remote identity verification). REFEDS: 21-Oct-09 4 Alex Reid, AAF & AARNet

REFEDS: 21-Oct-09Alex Reid, AAF & AARNet5 THIS SLIDE INTENTIONALLY LEFT BLANK

Federation Operator CPS Purpose: Establish rules for SAML operation. = SAML Metadata Signing Policy & Aggregation Practice Statement Framework. [cf the way RFC3647 Internet X.509 Public Key Infrastructure Certificate Policy & Certificate Practices Framework is used to manifest trustworthiness in a PKI Federation]. Process: a. Establish small group & set up mailing list, group pages; b. Small group develop draft; c. Submit to REFEDS, ECAM, MACE, TF-EMC2 for comment? d. Small group incorporate feedback; e. Submit to IETF for eventual endorsement? REFEDS: 21-Oct-09 6 Alex Reid, AAF & AARNet

Federation Operator CPS Participants: - Rodney McDuff - Andrew Cormack - Victoriano Giralt - Scott Rea (Director of the HE Bridge Certificate Authority (HEBCA) Operating Authority Dartmouth, USA) - Leif Johansson. Corresponding member: Milan Sova. Lurkers: Licia Florio & Alex Reid. Progress: - Members agreed; - Mailing List & Wiki set up; see - Rodney prepared a very preliminary draft; - Scott preparing a fleshing-out of the headings taken from RFC3647; - Andrew to be asked to flesh out policy/legal/audit & Leif the dynamic metadata components. REFEDS: 21-Oct-09 7 Alex Reid, AAF & AARNet

Federation Operator CPS Proposed 8 Sections to the Document: 1.Audit (Security & Compliance) 2.ID Proofing 3.Certificate Issuance 4.Certificate Maintenance 5.Personnel (Trusted Roles) 6.Physical & Logical Protection of Hardware 7.Certificate Status & Repository 8.Miscellaneous [derived from RFC3647, so may vary as fleshed out] REFEDS: 21-Oct-09 8 Alex Reid, AAF & AARNet