Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


comment #Line/Reference #Proposed Change or QueryProposer / AffiliationAction / Decision (please leave blank)

277-82The definition of CSP in this paragraph doesn't align well with that on page 4, and (I think) page 4 better represents what this document means by "CSP" (i.e., the organization's whole technical and organizational infrastructure for IAM). I suggest removing "...the central part of..." from that paragraph.David Walker / independent consultant
3232In the definition of "low," the issue is not really when an identity is self-asserted, but rather whether it was validated and verified. I suggest rewording the first sentence to ""The bearer of this claim is a Person with an identity that has not necessarily been validated and verified (i.e., a self-asserted identity).David Walker / independent consultant
4generalThanks to the authors for your work to date. Overall, v2 is a big improvement and I think you've achieved the objectives outlined. This is both technical and abstract and I acknowledge that English is often not the author's native language. Great job! 👏 I'm going to add a lot of comments below but hopefully it will improve readability and clarity. Please don't take it as criticism.John Scullen / Australian Access Federation
5comment 1 and 2+1. I agree with david on both of these points.John Scullen / Australian Access Federation

I'm not entirely happy with this redraft but suggest the following as an introductory paragraph: 

"In identity federations, Relying Parties (RP) grant access to services after users successfully authenticate to to their home organisation Identity Provider (IdP) using their institutional credentials. Identity Providers in turn rely on the home organisation's Credential Service Providers (CSP) to issue and manage user credentials. Each RP has a different risk profile and different thresholds of confidence regarding assertions made by IdPs in order to address the RP's operational risks. This REFEDS Assurance Framework specifies methods for expressing elements of identity assurance from the CSP for evaluation by the RP within research and education federations."

I think it's better to talk about "levels of confidence" rather than "certainty". Assurance is about collecting enough evidence to clear some threshold related to the risks in that particular situation. It's about having sufficient confidence rather than certainty.

John Scullen / Australian Access Federation
711orthogonal → independentJohn Scullen / Australian Access Federation
816delete "with the arbitrary names"John Scullen / Australian Access Federation
916cover → encapsulateJohn Scullen / Australian Access Federation

Revise final sentence to:

This framework also specifies how to represent the defined claims using SAML 2.0 and OpenID Connect federated identity protocols.

John Scullen / Australian Access Federation

Revise to:

Claims made on the basis of the original REFEDS Assurance Framework (RAF 1.0) can continue under the REFEDS Assurance Framework version 2.0 (RAF 2.0) with some exceptions for IAP process-based claims. Appendix A explains these exceptions and section 4 defines how to express IAP claims under both RAF 1.0 and RAF 2.0.

John Scullen / Australian Access Federation

Revise to:

This document provides a framework by which a Credential Service Provider (CSP) asserts claims about identity assurance attributes in the process of authenticating to an RP's service.

John Scullen / Australian Access Federation
1378-79Delete: "In a federated environment". I think we've adequately scoped this in the introduction. No need to keep repeating it.John Scullen / Australian Access Federation
1481This framework → The REFEDS Assurance FrameworkJohn Scullen / Australian Access Federation

Revise to:

Identifier Uniqueness - communicates to the RP that the user’s identifier (such as a login name) is unique and is bound to a single identity in the CSP’s context.

John Scullen / Australian Access Federation

Revise to:

Identity Assurance - communicates to the RP how confident the CSP was at the time of enrollment, of the real-world identity of the Person to whom the account was issued. This framework specifies three levels of process-based identity assurance and authenticator management (low, medium and high) and one risk-based identity assurance claim (local-enterprise).

John Scullen / Australian Access Federation

Revise to:

Attribute Assurance - communicates to the RP the quality and freshness of attributes (other than the unique identifier).

John Scullen / Australian Access Federation

Revise to:

Since an RP trusts one or more external CSPs to issue and manage credentials, the RP must rely on the CSPs to help mitigate associated risks. The RP operator's assessment of the sensitivity of the data collected and processed by its information systems and infrastructure will influence how much risk is acceptable and the controls necessary to mitigate the risks. RPs need higher confidence in the quality of attributes and identities asserted by a CSP as the risk factors increase. This framework describes methods for communicating these levels of confidence in a federated login attribute assertion.

John Scullen / Australian Access Federation

Revise to:

authentication needs to be sufficiently strong to confirm that the claims pertain to the person logging in. For example, if an RP determines that a service requires high identity assurance, it should also require MFA from the CSP for strong authentication assurance.

John Scullen / Australian Access Federation
20109transport → transitJohn Scullen / Australian Access Federation

Revise to:

For example, the assertion response should be signed using a certificate known and trusted by the RP.

John Scullen / Australian Access Federation

Revise to:

The REFEDS Assurance Framework (RAF 2.0) has two purposes:

John Scullen / Australian Access Federation
23112, 114Numbered paragraphs as 1. and 2. rather than using dot points.John Scullen / Australian Access Federation
24118 - meaning of Registrar

Revise to:

A person carrying out the identity proofing process for the CSP organisation.

John Scullen / Australian Access Federation
25118 - meaning of Unsupervised Remote Proofing

Revise after "Unsupervised Remove Proofing processes may be:" to:

  1. manual, in which the CSP uses a Registrar to evaluate the application and perform any checks required after the time of the Claimant’s application, or

  2. automated, where the CSP uses technology to process the claim and automate any required checks.

An identity proofing process may use a combination of manual and not automated unsupervised remote proofing.

John Scullen / Australian Access Federation

Revise to:

A CSP is REQUIRED to conform to the following REFEDS Baseline Expectations for Identity Provider Operators in order to conform to the REFEDS Assurance Framework:

John Scullen / Australian Access Federation
27125Include link/reference to [REFEDS Baseline Expectations for Identity Provider Operators]( Scullen / Australian Access Federation
28172Delete "The components are orthogonal; therefore,". Doesn't add any extra meaning.John Scullen / Australian Access Federation
29184 - UN3

I'm not sure this is important, but the wording implies to me that the identifier has not been reassigned up to this point in time. There is potential that the identifier could be reassigned at some point in the future. Should this be revised to: "The identifier MUST NOT ever be reassigned"?

Perhaps it doesn't matter because if the identifier is reassigned at some future time they would have to stop asserting /ID/unique 

John Scullen / Australian Access Federation
30188 and 195-209

Probably not in the scope of this work, but do we need to revise [eduPerson] to address reassignment practices for ePPN? It seems a bit weird to paper over a hole in the original specification by creating what feels like a workaround in this this spec.

From all the commentary it sounds like ePPN is generally not reliable as a unique identifier. Do we have any better options?

John Scullen / Australian Access Federation
31213, 118I expected "Identity Assurance" to be a defined term in 118 because of the capitalisation but it doesn't appear in the table. John Scullen / Australian Access Federation
32215Delete "sets of"John Scullen / Australian Access Federation
33216Delete "set(s) of"John Scullen / Australian Access Federation
34244, GR3, last dot pointSpace missing: "Claimantand" → "Claimant and"John Scullen / Australian Access Federation
35244, VA4, 2This seem a bit vague and open to interpretation. Maybe it needs examples or some criteria about the kinds of attributes to look for (e.g. matching name, address, or date of birth to other evidence presented)John Scullen / Australian Access Federation
36244, VA4, 3Should "person" be "Person"?John Scullen / Australian Access Federation
37244, VA4, 3"in a trusted manner". This seems open to in and could lead to practices that make this method less robust depending on what the CSP considers to be trusted.John Scullen / Australian Access Federation
38244, VA4, 3I'm not sure how comfortable I am with vouching as validation check for IAP high. For access to identifiable human genomic data I'm not sure this is robust enough. Maybe there is a case for IAP very high in a future RAF version.John Scullen / Australian Access Federation
39244, AB3Is it worth making explicit that evidence of delivery to the Claimant should be recorded (e.g. signature)?John Scullen / Australian Access Federation
40244, UR1"trusted source is defined in VA4". I don't think it's defined very well though (see also comment 37). Trusted sources seem very open to interpretation. Maybe adding some example use cases of sources that may be trusted in different contexts might help. This could probably go in an appendix with reference from the main part of the document.John Scullen / Australian Access Federation

Why are the attribute values limited to faculty, student, and member?

Faculty is rarely asserted in Australia but we almost always see staff and often employee too. Universities here understand who their staff are but have a harder time distinguishing between faculty vs general / professional roles.

I would like to see RAF broadened to include staff and employee. I acknowledge definitions vary between countries (highlighted in section 2.2.1 of the eduPerson spec but descoping staff and to a lesser extent, employee, substantially diminishes the value of RAF in the Australian context.

John Scullen / Australian Access Federation
42330-332Add: For further information see the REFEDS Must-Factor Authentication Profile and REFEDS Single Factor Authentication Profile. (and include links to the specs)John Scullen / Australian Access Federation
43373-374Revise to: RAF 1.0 is not deprecated. However, some RPs may require assurance using RAF 2.0 criteria over RAF 1.0 criteria.
John Scullen / Australian Access Federation
44377below → followingJohn Scullen / Australian Access Federation
45380"find itself having" → needJohn Scullen / Australian Access Federation
46474-477Revise to: 

Identity evidence is any artefact that a Claimant presents to prove their identity. This includes: documentation such as a government- issued physical or digital identification document or record, and the ability to be validated and verified through a national registrar, or similar means.

John Scullen / Australian Access Federation
47474-484Should these definitions be moved to the Terms and Definitions table (118)? They are used throughout the document and might be better placed there since they are used more widely than in the context of Appendix B. For this reason I think section 2 is a better home for them.John Scullen / Australian Access Federation
48525-528Revise complete sentence to: 

The identity evidence presented must be valid at the time of identity proofing (e.g., unexpired), and the evidence must be: issued by a nationally recognized source; nationally recognized as valid evidence for identification purposes; or is a documented attestation of knowledge of the Claimant's identity from an authority recognized by the CSP

John Scullen / Australian Access Federation
49540delete "its"John Scullen / Australian Access Federation

"IAP high levies one additional requirement for authenticator binding and issuance beyond the requirements in IAP medium and IAP low:"

"IAP high imposes the following requirements for authenticator binding and issuance in addition to the IAP medium and IAP low requirements:" 

John Scullen / Australian Access Federation

"achieve that assurance of Personhood."

"confirm the Claimant is a Person."

John Scullen / Australian Access Federation

"When the process is in-person, this is a trivial requirement in that the Personhood is checked by virtue of the Registrar interacting with the Claimant face to face."

"Face to face interaction with the Registrar automatically fulfils the requirements for in-person processes.

John Scullen / Australian Access Federation

"When the process is remote and unsupervised, then the CSP will need to consider how that requirement is to be fulfilled."

"CSPs will need to determine how to fulfil the requirements when the process is remote and unsupervised."

John Scullen / Australian Access Federation
54567"check for Personhood" → "confirm the Claimant is a Person"John Scullen / Australian Access Federation
55573-575Same comments apply as for comment 35.John Scullen / Australian Access Federation
56580"." → ":" at the end of the lineJohn Scullen / Australian Access Federation
57581 and 584Number these paragraphs as 1. and 2.John Scullen / Australian Access Federation
58585 and 588Change (1) to (a) and (2) to (b) if you add numbers as recommended in comment 57. It would be a less dense paragraph if these were formatted as sub-points too.John Scullen / Australian Access Federation

Revise to:
"proofing process, or; (2) use an automated..."

John Scullen / Australian Access Federation
60596-597Revise from the comma to:
"but instead articulates functional requirements in that are relevant across international contexts and as technologies evolve."
John Scullen / Australian Access Federation
61598-601Revise to:
"This section is intended to provide illustrative examples and discussion illustrating how to implement RAF. These examples and discussion points show how to interpret the normative criteria for implementation, but are not intended to be exhaustive."
John Scullen / Australian Access Federation
62605"a known and" → "an"John Scullen / Australian Access Federation

"and" → "if"

John Scullen / Australian Access Federation

"done by the Claimant demonstrating authentication with"

"demonstrated through successful authentication by the Claimant using"

John Scullen / Australian Access Federation

"When this approach is taken, criteria in the IE, VA, VF, and UR groups may be ignored."

riteria in the IE, VA, VF, and UR groups may be ignored when this approach is used."

John Scullen / Australian Access Federation

Revise to:
"Registrars will need to consider typical service standards in their location (e.g. longer postal delivery times may be needed in some locations)."

John Scullen / Australian Access Federation
67642Delete: "each of"John Scullen / Australian Access Federation
68652Add comma after "proofing process"John Scullen / Australian Access Federation
69653"each such service" → "these services"John Scullen / Australian Access Federation

"These, together with 3rd parties identified in material on their Trust Status List entries on which some of them rely in turn, provide a starting point for US based organisations thinking about implementing unsupervised remote identity proofing at IAP high. Some of those providers also operate outside of the US."

"Together with 3rd parties identified in material on their Trust Status List entries, these services provide a starting point for US based organisations implementing unsupervised remote identity proofing at IAP high. Some providers also operate outside of the US."

John Scullen / Australian Access Federation
71659-660Revise first sentence to:
"This framework does not explicitly require a government-issued photo ID."
John Scullen / Australian Access Federation
72660"simply because" → "that"John Scullen / Australian Access Federation
73664-665"do not implement things in the same way" → "use different approaches and standards"John Scullen / Australian Access Federation
74666-668Revise second sentence to:
"The easiest way to meet IAP medium in-person requirements is to compare a photo on the identity evidence with the Person."
John Scullen / Australian Access Federation
75669-671Revise to:
"For nations that do not have robust national-level identity infrastructure, a government-issued photo ID may be the only evidence that enables the Registrar to meet all the validation and verification requirements."
John Scullen / Australian Access Federation
76672-673Revise to:
' "Presented evidence" implies the Claimant must present the evidence themselves.'
John Scullen / Australian Access Federation
77674"have implemented" → "adopt"John Scullen / Australian Access Federation
78676Revise heading to:
" Appendix C: Example assurance values"
John Scullen / Australian Access Federation
79690In the "Reason" column it might be a good idea to cross referencing 5.2 to also include references to the GR, IE, VA, VF, AB and UR criteria where appropriate.John Scullen / Australian Access Federation

"IAP" Spell out on first use then abbreviate.

Nick Rossow / Australian Access Federation
81244/GR1GR1 requires that "The CSP takes measures to ensure that the Claimant accomplishing each step of the identity proofing and authenticator issuing process is the same Person throughout the process"

It is not clear how that can be fully achieved - there could be steps where another person could act on behalf of the Claimant - if they shared credentials, this would be impossible to detect.
Vlad Mencl / Tuakiri/REANNZ
82244/UR1It is not clear what it means for contact information to "belong to the Claimant".  Would it be stronger then being "in control" of the contact channel.  Such as for a phone number, not only to be able to receive messages, but also be listed in a public phone directory as the owner?  Or for email, having it listed in institutional directory as belonging to the user?

Perhaps this should be made clearer.
Vlad Mencl / Tuakiri/REANNZ

244/UR3 +


I'm not sure if eIDAS is really built around an ‘in-person’ principle. If a claimant is identified by an (eGov-approved) eID-Server using an eID Token which is notfied as eIDAS LoA 'high', why would a CSP ever require an additional in-person check? Such a requirement would run completely counter to the basic idea of eIDAS  (IMHO, of course). I doubt that any German university would ever be able to assert IAP high...

Wolfgang Pempe / DFN-AAI
84244/GR3Are there any means by which the records can be requested in case of an incident?Anders Sjöström NeIC/Puhuri