Background
The REFEDS Baseline Expectations working group have developed a high level set of requirements in the proposed Identity Federation Baseline Expectations (IFBE). By meeting a common Baseline, federations are able to increase trust, value and scalable interoperability to the ecosystem. The working group invites all interested parties to a consultation of the proposed document.
Please note that the document Identity Federation Baseline Expectations is only a high level set of requirements. The specific organisational and technical implementation guidance to satisfy the baseline will be provided in future supporting documents.
Overview
This consultation is open from: 15:00 CET 11th December 2020 to 17:00 CET 31 January 2021.
Participants are invited:
- to consider the proposed REFEDS Identity Federation Baseline Expectations document; and
- to propose appropriate changes / challenges to the proposed document.
The PDF for the consultation is available. Background on the Baseline Expectations Working Group is available. All comments should be made on: consultations@lists.refeds.org or added to the change log below. Comments posted to other channels will not be included in the consultation review.
Following the consultation all comments will be taken back to the REFEDS Baseline Expectations working group for review and if appropriate the document will then be forwarded to the REFEDS Steering Committee for sign-off and publication on the REFEDS website as per the REFEDS participants agreement.
Change Log
| Line Number / Reference | Proposed Change or Query | Proposer / Affiliation | Action / Decision (please leave blank) | |
|---|---|---|---|---|
| 1 | 25 | "continual trust improvements" this phrase is not very clear to me. What is a "trust improvement"? | Hannah Short/CERN | |
| 2 | 29 | the majority of the requirements are SAML independent, is there any reason to tie this to SAML? It might be more useful for future OIDC fed efforts if it were generic | Hannah Short/CERN | |
| 3 | 37/51/64 | should these contacts also cover security issues as well as operational? | Hannah Short/CERN | |
| 4 | 39/53 | I suppose it's intentional that Sirtfi is not mentioned? Is it intended that the "security practices" be the ones from Sirtfi? It may be worth clarifying somehow, though I appreciate the value of keeping the docs independent | Hannah Short/CERN | |
| 5 | additional requirement | Proposed addition: "“Any Federation services must support the exchange / storage and processing of personal information compliant with GDPR” | Andreas Matheus, Secure Dimensions | |
| 6 | 10 | Typo of "interfederatons" for "interfederations" | Andrew Cormack/Jisc | |
| 7 | 30 | Maybe clearer to explicitly add, "Those organisations are referred to as XXX Operators." | Andrew Cormack/Jisc | |
| 8 | 37 | [IdP3] feels like "You publish contact information and respond in a timely fashion to operational issues", rather than "Your IdP must have contact information..."? | Andrew Cormack/Jisc | |
| 9 | 51 | [SP3] feels like "You publish contact information and respond in a timely fashion to operational issues", rather than "Your Service must have contact information..."? | Andrew Cormack/Jisc | |
| 10 | 58 | typo of "respects" for "respect". | Andrew Cormack/Jisc | |
| 11 | 58/9 | "unless governed by an applicable contract" seems odd, better maybe "requirements may be set out in an applicable contract"? | Andrew Cormack/Jisc | |
| 12 | 62 | typo "be" for "are" | Andrew Cormack/Jisc | |
| 13 | 64 | [FO2] feels like "You publish contact information and respond in a timely fashion to operational issues", rather than "Your Service must have contact information..."? | Andrew Cormack/Jisc |