FICAM TFPAP 1.0.1: Difference between revisions
mNo edit summary |
No edit summary |
||
(4 intermediate revisions by the same user not shown) | |||
Line 19: | Line 19: | ||
<br /> | <br /> | ||
'''Privacy''': TFP member submissions are required to explain the TFPs privacy policy and requirements. Those are evaluated against the privacy criteria in Section 3.3. The criteria are (1) opt-in for positive confirmation from users before [[Personally Identifiable Information|PII]] is disclosed, (2) for [[Identity Provider|IdPs]] to share the minimal set of [[Attribute|attributes]], (3) for IdPs to share records of user activity, (4) for IdPs to provide users with [[ | '''Privacy''': TFP member submissions are required to explain the TFPs privacy policy and requirements. Those are evaluated against the privacy criteria in Section 3.3. The criteria are (1) opt-in for positive confirmation from users before [[Personally Identifiable Information|PII]] is disclosed, (2) for [[Identity Provider|IdPs]] to share the minimal set of [[Attribute|attributes]], (3) for IdPs to share records of user activity, (4) for IdPs to provide users with [[User Notice|notice]] of PII disclosures, for use of PII to be non-compulsory and (5) for PII to be protected after the termination of a service. | ||
<br /> | <br /> | ||
Line 33: | Line 33: | ||
[[Category:Standards]] | [[Category:Standards]] | ||
[[Category:Relying Party]] | [[Category:Relying Party]] | ||
[[Category:Government]] |
Latest revision as of 23:01, 18 February 2021
Title: FICAM Trust Framework Provider Adoption Process (TFPAP) For Levels of Assurance 1, 2, and Non-PKI 3
Category: Relying Party Policy
Date: 9/4/2009
Creator: ICAM
URL: http://www.idmanagement.gov/documents/TrustFrameworkProviderAdoptionProcess.pdf
Description: Defines the process the government can determine whether to approve Trust Frameworks for federal
purposes. The process covers assessment package submission, value determination, comparability
assessment and the adoption decision. For Levels of Assurance 1, 2, and non-PKI 3 (defined NIST SP800-63), Identity Providers and TFPs demonstrate in each of five categories (registration and issuance, tokens, token and credential management, authentication process, and assertions) the compares to the Level of Assurance for which its credentials might trusted by government applications. For Levels of Assurance 3 and 4, the document relies on the FBCA Cross-certification criteria and methodology (version 2.2 when published, now version 3.0).
Privacy: TFP member submissions are required to explain the TFPs privacy policy and requirements. Those are evaluated against the privacy criteria in Section 3.3. The criteria are (1) opt-in for positive confirmation from users before PII is disclosed, (2) for IdPs to share the minimal set of attributes, (3) for IdPs to share records of user activity, (4) for IdPs to provide users with notice of PII disclosures, for use of PII to be non-compulsory and (5) for PII to be protected after the termination of a service.
Security: The document is an information security policy.
Interoperability: The document promotes an interoperable approach to evaluating Trust Frameworks.
Terms: Adopted Authentication Scheme, Adoption, Approved Encryption Method, Assertion, Assertion Reference, Audit Criteria, Authentication, Authentication Protocol, Bearer Assertion, Biometric, Bona Fides, Certification, Claimant, Comparability, Confidentiality, Cross-certified, Cryptographic, Direct Assertion Model, E-authentication Credential, Entropy, Full Legal Name, Holder-of-key Assertion, Identity, Identity Proofing, Identity Provider, Indirect Assertion Model, Integrity, Issuance, Level Of Assurance, Min-entropy, Multi-factor Authentication, Multi-token Authentication, Network, Nonce, Non-repudiation, Out Of Band, Personal Identifying Information, Proof Of Possession Protocol, Pseudonym, Registration, Registration Authority, Relying Party, Salt, Sensitive Information, Shared Secret, Strong Man In The Middle Resistance, Strongly Bound Credentials, Subscriber, Threat, Token, Token Authenticator, Trust Criteria, Trust Framework, Trust Framework Provider, Verifier, Weak Man In The Middle Resistance, Weakly Bound Credentials