This consultation is now closed (5 April 2022 at 17:00 UTC and closes on 3 May 2022 at 17:00 UTC).
Background
Sirtfi is the Security Incident Response Trust Framework for Federated Identity. For background information on Sirtfi please visit the Sirtfi Homepage.
Overview
The Sirtfi working group has developed a new version of the SIRTFI framework. Sirtfi v2 incorporates editorial clarifications that result in renumbering some of the v1 assertions as well as a new assertion that requires security contacts of entities participating in Sirtfi to be notified when a security incident investigation suggests that those entities are involved in the incident.
Included as supporting material is a document that clarifies the co-existence of Sirtfi v1 and v2.
The PDF for the consultation is available. All comments should be made on: consultations@lists.refeds.org or added to the changelog below. Comments posted to other channels will not be included in the consultation review.
Change Log
comment # | Line/Reference # | Proposed Change or Query | Proposer / Affiliation | Action / Decision (please leave blank) |
---|---|---|---|---|
1 | 233-241 | Since SIRTFI v2 is a superset of v1, listing an attestation of compliance with v1 as part of the requirements is superfluous and these lines should be removed | Nicole Roy | |
2 | 0-n | Is a diff between the v1 and v2 specifications available? Not only useful for the consultation but probably also later for existing implementers of v1. | Thijs Kinkhorst | |
3 | 285 | The reference to the REFEDS metadata extension appears to be wrong per the XML Schema Definition (Metadata Extension Schema): the namespace URI in the example is "https://refeds.org/metadata" instead of "http://refeds.org/metadata". | Davide Vaghetti | |
4 | 129 - 135 | The coordinating CSIRT needs to be aware of incidents affecting/involving eduGAIN entities, otherwise it will get very difficult to coordinate any concerted response. [IR3] Notify security contacts of of the eduGAIN CSIRT and entities participating in Sirtfi when a security incident investigation suggests that those entities are involved in the incident. Notification should also follow the security procedures of any federations to which your organisation belongs. | Sven Gabriel | |