Trust and Internet Identity Meeting Europe
2013 - 2020: Workshops and Unconference

Use cases for REFEDZ RAF SFA and MFA & Implementing RAF on foundation level by Wolfgang Pempe

(David Kelsey, Wolfgang Pempe)

Idea: IdM Self-assessment for IdP Ops

-Self-assessment tool for home organizations / IdP Operators -Used in order to achieve 2 things: A more binding commitment to IdM quality Raising the awareness for IAM issues

Based on the results: Entity Attribute/Category indicating compliance with - The maximum profile, “Cappucino” or “Espresso” - SFA and/or MFA profiles

Question: Should the processing be automatically? Answer: No. The entity category would be inserted by the federation operator, not automatically.

Uros: We have a tool, that can insert any entity category for any entity in the world. We just need a decision process, what does this entity means. But technically, we can do it.

The IdP operators don’t necessarily know about the reliability of identities within one branch. It is another person.

Wolfgang: We have federations for projects based on some state-level organizations. What is the magic that makes entity categories work? -Those communities provide white lists. For example, in the state of Baden Wütenberg, there is one entity category for BW IdM (Baden Wütenberg IdM), and you want anyone to the whitelist, after entering an additional federation agreement, that when you commit yourself to enter at your list because that was the only way to enter at your list and you managed to do it, and some pretty awesome authorization and things like this. this was settled in the additional agreement in ten pages, that you’re in. We don’t like it, I mean it works pretty well in Baden Wütenberg, and that’s why I don’t like it. Because it’s so small, but these kinds of things make the teamwork.

Uros: Coming back to the sub-assessments: It could be good to provide guidance for what these attributes actually mean, because people may not know how their procedures match the assurance rate. We say a few things, and it can be something else, especially for medium, like “do you meet in person, or not”. Someone from the audience: You don’t know your medium. You may have some extra requirements Uros: Right, but this is on the identity side. They want to express something. This self-assessment is for the ID people so that they can express the attribute in the first place.