Contents 1 DRAFT FOR COMMENT ONLY 1.1 4.3 Certification of Identity Federation Operator 1.2 4.3.1 Process of Certification 1.3 4.3.1.1 Application 1.4 4.3.1.2 Initial Evaluation 1.5 4.3.2 Criteria for Certification of Federation Operator Lines of Business 1.6 4.3.2.1 Standard Evaluation Criteria Used by Assessor 1.7 4.3.2.2 Supplemental Criteria Used by Assessor 1.8 4.3.3 Certification Decision 1.9 4.3.3.1 Assessor Delivers Report and Recommendation 1.10 4.2.3.2 IAEG Board Makes Certification Decision 1.11 4.2.4 Appeals Process 1.12 4.2.5 Maintaining Certification

DRAFT FOR COMMENT ONLY

- Please send comments for discussion to sig-ia@lists.projectliberty.org. Note: You must subscribe to the list to post message. You may subscribe here.

Initial Discussion Draft, Federation Operators Section, 2009 Revision of the Liberty Identity Assurance Framework

4.3 Certification of Identity Federation Operator

The purpose of certifying a Federation Operator (FO) under this Identity Assurance Framework is so it may assign to its member CSPs Liberty-backed certification of Assurance Levels to the credentials they issue. That is, if a Liberty-authorized Assessor determines that the FO manages its federation in such a way as to ensure that its member CSPs are issuing credentials in full compliance with the various ALs specified in this IAF, then Liberty-backed certification of member CSPs credentials is delegated to the FO. For obvious reasons then, assessment of an FO is a particularly demanding activity.

An FO is an organization that provides governance and day-to-day operational support for the federation. The FO is authorized to enter into binding contracts and agreements and to provide support for federation services. The Federation Operator is recognized by federation Participants as having certain roles and authority in creating a framework in which on-line identity assertions can be trusted and the privacy of identity information protected.

Federation Participants (“Participants”) are otherwise-independent entities that enter into contracts or binding agreements with the Federation Operator in order to receive services from the federation. These services include ensuring that all Participants meet participation requirements including the relative trustworthiness of electronic identity credentials issued by member CSPs, properly identifying and authenticating each participating entity, distribution of metadata and any other security information such as digital certificates describing each Participant and the identity services and/or on-line resources each provides, resolution of interoperability or other operational problems, and enhancement of standards as new requirements arise. Participants may include CSPs and/or Relying Parties (RPs). Some federations may include Relying Parties as Participants, others may not.

For Federations that include Relying Parties, the Federation Operator shall ensure that Participant RPs are responsible for determining through a risk assessment process of their own the credential AL necessary for managing appropriate access to its data or on-line services. RPs are responsible for assuring that only credentials of that assurance level or higher are accepted as the basis for granting access. The Federation Operator has no role in determining the appropriate level of assurance required for any RP service except for those it might manage directly. A Federation Operator may set rules for how RPs must protect identity information received from CSPs and how such information may be used; however, FOs may or may not monitor federation Participants for compliance. In addition, laws and/or Federal or state regulations may constrain RPs’ use and/or management of such information.

4.3.1 Process of Certification

The process of certification for each product or line of business for which certification is sought by a FO includes the following steps. a) An FO seeking certification for a product or line of business begins the formal process by reviewing the list of IAEG accredited and approved assessors. The FO selects an assessor for commencing formal assessment, for which there shall be a separate contractual arrangement between the applicant and the chosen assessor.

b) The IAEG accredited assessor selected by the applicant conducts an assessment of the FO policies, procedures and operations. At the conclusion of the assessment process, the assessor submits the assessment report and its recommendation regarding certification to the Federation Operator and the Liberty Alliance IAEG.

c) The FO submits an application for certification to the IAEG, including agreement to the IAEG business rules, as well as specification of each line of offerings for which certification is sought, and the assurance level (AL) at which each certification is sought.

e) After receiving the assessment and application materials from the assessor, the IAEG evaluates the relevant information and makes a decision on certification.

f) The IAEG communicates its decision on certification to the FO and the assessor.

g) In the event of a negative decision, the FO is afforded an appeal.

h) In the event of a positive decision, the FO’s authority to assign Liberty certifications to its Participant CSPs products or lines of business and this authority is added to the IAEG Certified offering list in a manner to be determined.

i) An FO may not be the assessor of its own service.

4.3.1.1 Application

The IAEG shall provide a standard application form for certification of Federation Operators as IAEG-certified both on the IAEG web site and in paper form. The application, to be completed by the Federation Operator, shall include contact information; an agreement to abide by the IAEG rules and any other applicable IAEG requirements identified in the application, such as a license agreement or other terms and conditions; and an IAEG appeal request form to request review of the final certification determination. In addition, the application shall require the applicant to specify the precise scope of each line of business for which certification is sought, the AL at which each certification is sought, and any existing applicable accreditation, certification or similar approvals granted to each specified line of business.

4.3.1.2 Initial Evaluation

Upon receipt of an application for certification, the IAEG shall review the contents and the assessment report. 4.3.1.3 Assessment

Prior to submitting an application for certification, an FO must obtain an assessment by an IAEG accredited assessor. The assessment shall determine compliance with the current IAEG Service Assessment Criteria. An IAEG accredited assessor will conduct an on-site reassessment or surveillance assessment of an FO at least 1 year after certification and, at a minimum, once every 2 years thereafter, for verification of continued compliance with IAEG certification requirements.

4.3.2 Criteria for Certification of Federation Operator Lines of Business

Because a certified Federation Operator authorizes its Participant CSPs to assert Liberty certification of Assurance Level for its credentials, the criteria for certification of FOs are rigorous.

4.3.2.1 Standard Evaluation Criteria Used by Assessor

For each line of business for which certification is sought, the policies, practices, operations, organization, personnel and other relevant aspects of an FO must be assessed against the Liberty IAEG’s processes and procedures for certifying CSPs. That being said, an assessor shall be responsible for determining whether the FO’s business rules and practices are comparable, not identical, to those of the IAEG’s assessment criteria for CSPs. Whether that determination of comparability is deemed adequate and equivalent must be decided by the IAEG Board. Determination by the Board is a requirement for FO certification. Reports of such determinations may be published from time to time as assessment guidance by the IAEG.

4.3.2.2 Supplemental Criteria Used by Assessor

This section needs to be drafted, but it is essentially the IAF assessment process for CSPs.

4.3.3 Certification Decision

4.3.3.1 Assessor Delivers Report and Recommendation

Upon conclusion of the assessment, for each line of business for which certification has been sought, the assessor shall deliver to the IAEG and the FO a final assessment report, including a recommendation on whether to certify the assessed FO and for which assurance levels.

4.2.3.2 IAEG Board Makes Certification Decision

Upon receipt of each assessment report and recommendation on certification from the accredited assessor, the IAEG Board shall determine within a reasonable time whether to deny certification to the FO, certify the FO for particular ALs, or take such other action as may be appropriate, including requesting further information, contractual agreements, or provable action from the FO by a certain date.

The decision of the IAEG Board shall be communicated to both the FO and the assessor within a reasonable time, as it determines.

4.2.4 Appeals Process

Upon receipt of the decision on certification by the IAEG Board, a FO may request an appeal of that decision. Accepting an appeal from an FO is done at the discretion of the IAEG Board. If the Board agrees to hear an appeal, it shall accept additional documentation and arguments from the FO and review its prior decision.

4.2.5 Maintaining Certification

The must Federation Operator must notify the IAEG of any material change that may affect the trustworthiness of Participant CSPs’ credentials at particular assurance levels 60 days before the change is instantiated or immediately upon the incidence of any unplanned change. The IAEG will determine whether the changes are sufficient to require re-assessment. The re-assessment, if required, need only cover those elements that have changed.