[CSG Winter 2011] InCommon Silver

InCommon Silver is an Identity Assurance Program. Requires a set of infrastructure requirements around eight assessment areas. Three general categories of requirements:
1. Documentation of policies and procedures and standard operating practices
2. Strength of authentication and authorization

CIC CIOs provide strong exec. sponsorship.
The CIC universities will implement Silver to support LoA 2 by Fall 2011

CIC co-leads – Renee Shuey (Penn State), Tom Barton (Chicago).

Michigan State – goals were to enable collaboration, so needed to build trust with external partners and can facilitate access to services. Initial challenges revolved around interpreting the Bronze/Silver Identity Assurance Profile (IAP) – luckily friends in CIC helped decode it – it’s got very complex ideas. Password policies didn’t map – were too simple. Sorely lacking: documentation, policy. Who to provide this for? Try to pare down scope. What’s the killer app? Has yet to rear its head – most likely to come out of NIH. Argument has been let’s try to be proactive and be prepared before it becomes a requirement.

Approach – work with other institutions, partner with campus stakeholders, identify a subset of users (likely research faculty), leverage ID office (verification process, credentialing). Investigating second credential (certs) through iClass ID Cards – might do that rather than strengthen passwords on first credential.

Mary Dunker – VA Tech

REwind to CSG, Jan 2010
– Developing levels of assurance for personal digital IDs at Tech.
– Developing method for determining LofA.
– Developing tech for authenticating at LofA
– Aware that InCommon Silver was “out there”, but was going down road towards NIST certification.

– Established standard for personal digital identity levels of assurance
– CAS recognizes LoA of authentication credential
– CAS front-ends SHibboleth
– ox-officio member of CIC Sliver Project planning group.

Where they’re going
– achieve InCommon Silver with personal digital certs on a usb token. Later possibilities – VASCO digipass one-time password devices. Soft certs (require infrastructure changes, developments of new UI).

Remaining tasks – Wait for Silver to be finalized, ensure compliance with silver – may require chante to record (and encrypt) DL or passport number. Ensure that CS checks revocation list for certs. Reuest audit. Apply for silver.

Iowa (Chris Pruess)

Silver thinking – Project doesn’t stand in isolation. Identity service served central academic space, but not hospital. Brought hospital into space starting in 2000. Current Authentication Focus – Active Directory Assessment – Can it provide required level of authentication strength to meet Silver? Have strong Project Mgmt discipline in IT org. Leveraging other projects – campus ID card (id proofing improvements – brought hospital badging requirement in also), revision of enterprise password policy (established framework for multiple strength passwords).

Tom notes that while the initial use cases for Silver are for smaller specialized populations (NIH apps, TeraGrid) we should be ready for the larger cases coming – e.g. TIAA/CREF, financial aid, etc. Chicago wants to get to Silver using existing user name/password credentials. Requires a bunch of work on things like how passwords are stored and managed.

RL Bob Morgan – Refining Silver.
We were working on feds E-Auth requirements, but then they phased that out and started ICAM.

Need to change based on feedback – it it’s that hard for Va Tech, that’s a problem. It has to work for everyone. Needs to be as simple to understand and implement as it can be while still dealing with federal requirements. People read every word. Watch out for “must”. Remove most requirements not referenced by ICAM TFPAP. Exception is some other potential Silver consumers such as TeraGrid/IGTF.

Business, Policy, and Operational Factors is the primary section where elements have been removed. Audits and Auditors – Recognize need for shared risk between InCommon and campuses, propose an Assurance Review Board, Role of Auditors: confirm management assertions, not guarantee IA conformance. Reduce number and fequency of audits. Tom notes that they’re working with ACUA (the association of college and university auditors) towards guidelines on how to audit identity management. Matt notes that working with the auditor before setting down this path is a very good idea.

IAM functional model – flesh out enterprise scenario, vs dedicated IdP – et multiple apps, RAs, password stores. Streamline terms. Define terms in context.

Registration and proofing – clarify some concepts – existing relationship, identity information (e.g. meaning of “address of record”).

Kevin Morooney – It’s important – You should care. Two perspectives

Campus CIO –

4 basic principles/observations
– We want more. always
– They said it couldn’t be done, but we did it
– If your best friend jumped off a bridge….
– We are playing our part in an epic battle.

The importance of Trust increases with transactional importance – from affinity cards, through credit cards, driver licenses, passports, social security card, birth certificate.

Principle: OVer time we want to do higher stakes transactions online. True within campus, and off campus, between campuses, etc. Klara’s point – we’ve been doing it all along for quite some time. The value of doing silver is already paying off.

Principle: eduPerson, authentication, authorization. Each of these was a hard effort, but we’ve made a lot of progress. Every step along the way there were naysayers – they weren’t right. But they could have been. NIH is taking this trust fabric idea very seriously.

Principle: Others with whom we do business are heading in the same directions, for incredibly similar reasons.

An epic battle is being waged – Popularity vs. Truth. Our institutions are largely in the business of getting it right – what we’re constantly up again is popular knowledge that hasn’t been vetted. Getting trust right is a part of truth. Changing scholarship models will require making strong assertions about our people.

A late addition – big companies have contacted Kevin about learning how we’ve done identity management – because we’ve been dealing with the chaos that they’re just beginning to experience.

InCommon guy –

Principle – it’s about community. InCommon maturation – size and shape of the org are changing. Lot of dialog about wanting InCommon to play more of a role – community asking it to do things.

Principle- Silver is one of many things that supports the theme of the future – ever increasing trust.

InCommon’s success is dependent on what we do on our campuses.


2 thoughts on “[CSG Winter 2011] InCommon Silver”

  1. We anticipate that a near-final draft of v1.1 of the InCommon IAP and IAAF documents will be completed before the end of January. Those will then go through two successive review cycles – one quick and closed, the other public – before being finalized. I expect we’ll publish v1.1 in March 2011.

    At that point we can say that Silver will have been finalized. However, there are two further developments that you might wish to track. First, InCommon still needs to implement a few things before there’s a functional Identity Assurance Program by which a campus can get formally certified. That’s anticipated to be ready in Summer 2011, though of course there’s much a campus may need to do before getting to the point of submitting a certification request.

    The other development to track is how the federal government’s ICAM group responds to the new version of Silver. Although we’ve tried very hard to ensure that their requirements will remain fully satisfied, it is possible that a second opportunity to assess InCommon’s Identity Assurance program will produce different feedback than the first time around.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: