Versions Compared

Old Version 7

changes.mady.by.user Davide Vaghetti

Saved on

compared with

New Version Current

changes.mady.by.user Pål Axelsson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

PhaseRequirementDeadlineComments
1Require security contacts and commitment to incident response for federations31st December 2025Complete, target achieved 
2

Require security contacts and commitment to incident response for all entities

Require privacy notice and completion of mdui:PrivacyStatementURL for all entities

Require expression of RAF information  / ability to assert https://refeds.org/assurance for all Identity Providers. 

31st December 2026

Proposed  - is it too much to include RAF in this year? Could be rolled to 2027

I think we can discuss this. I would not dilute it too much though. Maybe we could move RAF base requirement to 2027-Q1? (Davide)

I'm happy to move requirements of identity assurance to date further along, end of Q2 or Q4 2027? (Pål)

3

Require Sirtfi for all entities

Require expression of identifier uniqueness   / ability to assert: https://refeds.org/assurance/ID/unique

31st December 2027+1 (Davide and Pål)
4

Require minimum RAF level - TBD. 


This still needs significant scoping work

A base level would of course be IAP/low. A way to scope this is 1. usefulness (what's really needed?) - 2. what's current industry standard? for example Google, Amazon, MS, etc have now better vetting processes.
All in all I would exclude any "what is reasonably achievable" parameter, or we risk to simply drop it. (Davide)

Are we talking about only IAP or also identifier uniqueness? I'm happy on both due to uniqueness seams very important. (Pål)

Process

  • Requirements will be announced  by the Secretariat and appropriate amendments made the SAML Technical Profile. 
  • Federations will be asked to remove all entities that do not meet these standards by the deadline or (or they will be filtered by eduGAIN OT?).

...