Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

https://docs.google.com/document/d/1ODfru_zjQHQp57MxE1PCZh7lafw57OCiM1fgejx4EbI/edit#


Discussion

AEGIS review comments  



What if there are user that use identity providers that do not support R&S?

R&S is just a way to assert the unique value for the ID component. When you do not have an assertion of the Id component, you can use R&S if you have it, if you do not you can use the im_a_person and contacts compensatory controls.
What if the external identity provider is a social media IdP? Is it still possible to achieve a minimal assurance profile?

One of the purpose of this document, along with AARC-G021 and AARC-G041, is exactly to allow Identity Providers outside of eduGAIN to be able to achieve at least level of low.

Affiliation can only mean that this identity has a meaning for this community. Do we really want to have the affiliation as part of the users' identity?The document is agnostic toward the expression or not of affiliation information.
What if something like eIDAS is used in the future? We need to leave a window open for such identity sources, which might not signal the expected RAF values but we know they are good

Yes. While the current document is not making compulsory to use RAF or the suggested compensatory controls, we better highlighted the fact that others assurance frameworks might be used to convey assurance information:

  • OLD A requirement for the assurance evaluation is that assurance components related to the same individual, but coming from different IdPs, are defined along the lines of the RAF, or can be translated into those definitions
  • NEW A requirement for the assurance evaluation is that assurance components related to the same individual, but coming from different IdPs, are defined along the lines of the RAF, or, when expressed through other assurance frameworks as for example eIDAS LoA [eIDAS LoA], can be translated into those definitions.
Is the document aligned with the title which says “combined” (indicating there are at least two external IDs linked to the infrastructure ID) but the contents (compensatory controls) are applicable even if there is just one external identity

Yes, it is true.

We changed the title to Guidelines for the evaluation and combination of the assurance information of external identities.


Meetings schedule and Minutes

...