Stakeholder and community feedback. Trusted Digital Identity Framework (Component 2)

Similar documents
Stakeholder and community feedback. Trusted Digital Identity Framework

Accreditation Process. Trusted Digital Identity Framework February 2018, version 1.0

Service Operations Testing Requirements. Trusted Digital Identity Framework August 2018, version 1.0

Attribute Profile. Trusted Digital Identity Framework August 2018, version 1.0

Overview and Glossary. Trusted Digital Identity Framework February 2018, version 1.0

Gatekeeper Public Key Infrastructure Framework. Information Security Registered Assessors Program Guide

NOTICE OF AMENDMENT TO THE 2014 NACHA OPERATING RULES SUPPLEMENT #1-2014

ISO27001:2013 The New Standard Revised Edition

It s still very important that you take some steps to help keep up security when you re online:

FPKIPA CPWG Antecedent, In-Person Task Group

FedRAMP Digital Identity Requirements. Version 1.0

Phase II CAQH CORE 202 Certification Policy version March 2011 CAQH 2011

Cyber Security Reliability Standards CIP V5 Transition Guidance:

PRIOR LEARNING ASSESSMENT AND RECOGNITION (PLAR)

IDENTITY ASSURANCE PRINCIPLES

WECC Internal Controls Evaluation Process WECC Compliance Oversight Effective date: October 15, 2017

METERING SERVICE PROVIDER REGISTRATION PROCEDURE (PART1)

Minimum Requirements For The Operation of Management System Certification Bodies

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

Reliability Coordinator Procedure PURPOSE... 1

Phase I CAQH CORE 102: Eligibility and Benefits Certification Policy version March 2011

UNDAF ACTION PLAN GUIDANCE NOTE. January 2010

One Sector Community Limited ACN ( OSC ) Privacy Policy

NDIS Quality and Safeguards Commission. Incident Management System Guidance

DirectTrust Governmental Trust Anchor Bundle Standard Operating Procedure

Oracle Data Cloud ( ODC ) Inbound Security Policies

Progress Report Negotiations on the Registrar Accreditation Agreement Status as of 1 March 2012

GENERAL PRIVACY POLICY

Google Cloud & the General Data Protection Regulation (GDPR)

Telecommunications Equipment Certification Scheme FEBRUARY 2017

Open Data Policy City of Irving

PayThankYou LLC Privacy Policy

Policy Objectives (the Association) Privacy Act APPs Policy Application ACTU The Police Association Website

Global Specification Protocol for Organisations Certifying to an ISO Standard related to Market, Opinion and Social Research.

FIRE REDUCTION STRATEGY. Fire & Emergency Services Authority GOVERNMENT OF SAMOA April 2017

BENCHMARKING PPP PROCUREMENT 2017 IN GABON

Approved 10/15/2015. IDEF Baseline Functional Requirements v1.0

PRIVACY POLICY TABLE OF CONTENTS. Last updated October 05, 2018

INFORMATION ASSURANCE DIRECTORATE

Updating MACS documentation

Smart Metering Implementation Programme. Consultation on transitional arrangements in the Smart Energy Code

APF!submission!!draft!Mandatory!data!breach!notification! in!the!ehealth!record!system!guide.!

Thanks for using Dropbox! Here we describe how we collect, use and handle your information when

Data Protection. Code of Conduct for Cloud Infrastructure Service Providers

Terms & Conditions. Privacy, Health & Copyright Policy

REPORT 2015/149 INTERNAL AUDIT DIVISION

How Cybersecurity Initiatives May Impact Operators. Ross A. Buntrock, Partner

Re: PIPEDA s.11 complaint re: canada.com service - outsourcing to US-based service provider

Code Administration Code of Practice

Our Data Protection Officer is Andrew Garrett, Operations Manager

ASD CERTIFICATION REPORT

FedRAMP: Understanding Agency and Cloud Provider Responsibilities

SWAMID Person-Proofed Multi-Factor Profile

FSC STANDARD. Standard for Multi-site Certification of Chain of Custody Operations. FSC-STD (Version 1-0) EN

Consideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 June 2, 2014

NYDFS Cybersecurity Regulations

Identity Federation Requirements

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

SERVICE ORGANIZATION CONTROL (SOC) REPORTS: WHAT ARE THEY?

PRIVACY COMMITMENT. Information We Collect and How We Use It. Effective Date: July 2, 2018

Alberta Reliability Standards Compliance Monitoring Program. Version 1.1

Accreditation Services Council Governing Charter

Digital Identity Guidelines aka NIST SP March 1, 2017 Ken Klingenstein, Internet2

ISAO SO Product Outline

Maritime Union of Australia. Privacy Policy 2014

As set out in the Hong Kong ID card, or any relevant identification document referred to in 1(g) above.

SA/SNZ TR ISO/IEC :2014

EDENRED COMMUTER BENEFITS SOLUTIONS, LLC PRIVACY POLICY. Updated: April 2017

Engineering Document Control

ETNO Reflection Document on the EC Proposal for a Directive on Network and Information Security (NIS Directive)

Data Processing Agreement

Policy & Procedure Privacy Policy

IBM SmartCloud Engage Security

National Strategy for Trusted Identities in Cyberspace

Executive Order 13556

NAI Mobile Application Code

"Energy and Ecological Transition for the Climate" Label Control and Monitoring Plan Guidelines

Stakeholder Participation Guidance

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

DIGITALSIGN - CERTIFICADORA DIGITAL, SA.

Safeguarding unclassified controlled technical information (UCTI)

Public Safety Canada. Audit of the Business Continuity Planning Program

Chapter 1. Purpose, definitions and application

Keyword AAA. National Archives of Australia

ITU s perspective on patents and standards

FedRAMP Security Assessment Framework. Version 2.0

Qualys SAML 2.0 Single Sign-On (SSO) Technical Brief

Security Architecture

SURGICAL REVIEW CORPORATION Privacy Policy

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

Cybersecurity. Quality. security LED-Modul. basis. Comments by the electrical industry on the EU Cybersecurity Act. manufacturer s declaration

Red Flags/Identity Theft Prevention Policy: Purpose

Protecting your Privacy Winchester Cathedral Privacy Notice

Proposed Accounting Standards Update, Revenue from Contracts with Customers (Topic 606): Identifying Performance Obligations and Licensing

ONBOARDING APPLICATION

Reviewed by ADM(RS) in accordance with the Access to Information Act. Information UNCLASSIFIED.

CHAPTER 13 ELECTRONIC COMMERCE

Summary of Changes from PA-DSS Version 2.0 to 3.0

Electronic Service Provider Standard

Privacy Policy. Revisions to this Policy. What Information we collect. How do we collect Information?

Transcription:

Stakeholder and community feedback Trusted Digital Identity Framework (Component 2)

Digital Transformation Agency This work is copyright. Apart from any use as permitted under the Copyright Act 1968 and the rights explicitly granted below, all rights are reserved. Licence With the exception of the Commonwealth Coat of Arms and where otherwise noted, this product is provided under a Creative Commons Attribution 4.0 International Licence. (http://creativecommons.org/licenses/by/4.0/legalcode) This licence lets you distribute, remix, tweak and build upon this work, even commercially, as long as they credit the DTA for the original creation. Except where otherwise noted, any reference to, reuse or distribution of part or all of this work must include the following attribution: Trusted Digital Identity Framework (Component 2): Stakeholder and community feedback Commonwealth of Australia (Digital Transformation Agency) 2018 Use of the Coat of Arms The terms under which the Coat of Arms can be used are detailed on the It s an Honour website (http://www.itsanhonour.gov.au) Contact us Digital Transformation Agency is committed to providing web accessible content wherever possible. If you have difficulties accessing this document or have questions or comments regarding this document please email the Director, Trusted Digital Identity Framework at identity@dta.gov.au. Trusted Digital Identity Framework: Stakeholder and community feedback ii

Contents 1 Summary of changes... 1 1.1 Attribute Profile... 2 1.2 Authentication Credential Requirements... 2 1.3 Fraud Control Requirements... 2 1.4 Identity Proofing Requirements... 3 1.5 Interim Accreditation Governance... 3 1.6 Interim Memorandum of Agreement... 3 1.7 Interim Federation Deed... 4 1.8 Overview and Glossary... 4 1.9 OpenID Connect 1.0 Profile... 5 1.10 Protective Security Reviews... 5 1.11 SAML 2.0 Profile... 6 1.12 Service Operations Requirements... 6 1.13 Technical Integration Testing Requirements... 6 2 Feedback under consideration... 7 Trusted Digital Identity Framework: Stakeholder and community feedback iii

1 Summary of changes The Trusted Digital Identity Framework (TDIF) has been developed in conjunction with government agencies and the private sector. There have been two components of TDIF released, with the first being published in February 2018 and the second in August 2018. The second component includes a combination of new documents and updates to existing documents from the first TDIF component. Both components are available on the DTA website 1. The DTA met regularly with stakeholders while drafting the second component of the TDIF which was then released for public consultation through May and June 2018. Thank you to everyone who provided feedback. More than 900 comments were received. In this document we have summarised the broad changes made to the TDIF in response to this feedback. There were a number of suggestions made which have resulted in changes to all of the documents that make up the second release of the TDIF. These changes include the following: Moved the document conventions (how to interpret MUST, SHOULD, etc) to the inside cover of each document. Changed the document management section of each document to show the Trust Framework Accreditation Authority as the body who endorses the document. References to the Trust Framework have been replaced with TDIF. References to individuals, users, end users and subscribers have been replaced with person or people. Changes that have been made to individual documents are summarised below. The terms and definitions used in this document are defined in the TDIF: Overview and Glossary. 1 Both TDIF components are available on the DTA website, https://www.dta.gov.au/what-we-do/policies-and-programs/identity/ Digital Transformation Agency Trusted Digital Identity Framework: Stakeholder and community feedback 1

1.1 Attribute Profile Core attributes have been separated from the attributes that describe validated contact details. The descriptions of core attributes have been updated. This includes noting that where a person has only one name, it should be recorded as the family name. Description of attribute sets has been updated to note that the attributes may be requested individually. Revised the terminology that describes the types of consent. Added the Every Change consent type to support the need for requiring consent whenever an attribute value is changed. Added additional timestamp attributes to the attribute sets to enable an Identity Exchange to detect a change in attributes so that the appropriate consent policy can be applied. All timestamps are in UTC format. Clarified the use of different OIDC scopes for Relying Parties and Identity Providers, Relying Parties may also use the same OIDC scopes specified for Identity Providers. Added a paragraph describing support for computed attributes. Added examples of attributes that may be supported in the future releases. 1.2 Authentication Credential Requirements Complete re-write of the document to align with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-63B Amended the wording to reflect consistency of terminology throughout the document. Updated Table 1 proof of possession requirements highlighting the alignment with NIST SP 800-63B requirements. Clarified Credential Service Provider specific requirements to remove ambiguity. 1.3 Fraud Control Requirements Terminology and reporting requirements have been clarified. Requirement for real-time fraud monitoring added. Fraud Risk Assessment now forms a component of the overall risk assessment. Digital Transformation Agency Trusted Digital Identity Framework: Stakeholder and community feedback 2

1.4 Identity Proofing Requirements Inclusion of referee checks (attestation) for individuals without photo identity documentation. Expansion and clarification for IP4 (including in-person interviews). Introduced Transitional Arrangements that are a temporary alternative for identity proofing. Updated the list of allowable identity sources. Clarified and updated the Identity Service Provider requirements. Provided clarity around the objectives and their application within the identity proofing processes for each identity proofing level. Aligned terminology with the Glossary Re-ordered the document to improve readability 1.5 Interim Accreditation Governance Merged with the Interim Memorandum of Agreement 1.6 Interim Memorandum of Agreement The System Governance Interim MOU (MOU) consolidates the Federation Deed and MOU, and the Interim Accreditation Governance document, into one document. (The Federation Deed and MOU, and the Interim Accreditation Governance document, were each included in TDIF release two). This approach streamlines the governance arrangements for the System ( System Governance ) during the roll-out of pilot services from October. The MOU provides for the DTA to act as an Oversight Authority for the System and outlines the rights, powers and obligations of that Oversight Authority to ensure the safe, reliable and effective operation of the System. The TDIF MOU document previously referred to an Accreditation Authority, which was a body that had responsibility for accrediting participants within the System the Oversight Authority has broader responsibility for administration and enforcement of arrangements for the System. Digital Transformation Agency Trusted Digital Identity Framework: Stakeholder and community feedback 3

The MOU sets out the roles and responsibilities of each participant within the System to ensure accountability and certainty within the System, and to ensure that use of the System is consistent with the requirements of the TDIF. The MOU is an interim arrangement which is designed to fall away as the scope of the System expands and other non-commonwealth participants seek to use the System (the MOU will be replaced by Operating Rules in due course). In the meantime, it has flexibility for other Commonwealth entities to participate in the system (for example, as a Relying Party as new services are on-boarded). The MOU requires the Identity Exchange to maintain the privacy of the System through the double-blind mechanism and the legal structure of this document (including the obligations of the participants) reflects the double blind technical architecture. The MOU also enshrines other privacy requirements for example, the Oversight Authority must notify the Privacy Commissioner of proposed changes to the TDIF and invite comment on those changes. 1.7 Interim Federation Deed Merged with the Interim Memorandum of Agreement. 1.8 Overview and Glossary Provided greater clarity as what TDIF success will look like, including how success will be publicly reported. Redrafted the TDIF guiding principles to make them clearer. Added a description of double blind in the objectives and how this will be achieved. Redrafted the sections about the functions performed by participants in the identity federation and how the relate to the various federation roles. Removed ambiguity about the number of identity exchanges that will operate in the identity federation over time (there will likely be several). Updated the section about the TDIF documents and development schedule. Moved this section closer to the front of the document and removed the pictures that showed the linkages between the TDIF policies as several people found these pictures confusing. Digital Transformation Agency Trusted Digital Identity Framework: Stakeholder and community feedback 4

Added a new section which describes how to interpret the document conventions (e.g. MUST, SHOULD, etc) and the impacts if these conventions are not followed. Added a new section which describes the initial accreditation process and the ongoing accreditation obligations. Introduced the concepts of the Oversight Authority and Operating Rules and added some of their roles and responsibilities. Added and updated a number of glossary terms that were missed from the first TDIF release. 1.9 OpenID Connect 1.0 Profile Corrections made to trust broker diagram and descriptions as requested. Corrections to examples as requested. Updated the diagram on Interactions (Appendix A) to highlight the interactions that are occurring via the user s web browser. Minor corrections and amendments identified in feedback. 1.10 Protective Security Reviews Minor changes have been made to a number of requirements to make them clearer. Provided additional information about the likely costs of an IRAP Assessment. Provided greater clarity regarding how failed IRAP Assessments will be handled by the Trust Framework Accreditation Authority. Removed references to the unclassified controls listed in the Australian Government Information Security Manual. Aligned the vulnerability management requirements with the TDIF: Protective Security Requirements. Added provisions to allow penetration testing to be conducted by internal teams. Added the definitions of black box and white box system testing to the TDIF: Overview and Glossary. Digital Transformation Agency Trusted Digital Identity Framework: Stakeholder and community feedback 5

1.11 SAML 2.0 Profile Corrections to trust broker diagram and descriptions as requested, consistent with those included in the OIDC Profile. Updated diagram on Interactions (Appendix A) to highlight the interactions that are occurring via the user s web browser, consistent with those included in the OIDC Profile. Corrected section on Common Profile Requirements to clarify that a SAML Service Provider is only required to support either the Http-Redirect or Http-POST This profile requires support for the SAML metadata specifications to ensure support for static configuration of SAML requests. The relevant section will be revised to make this clearer in the next release. 1.12 Service Operations Requirements Clarification to include applicable outsourced services as part of Service Operations testing activities. Removed definitions specific to the document and added them to the TDIF: Overview and Glossary. 1.13 Technical Integration Testing Requirements Provided clarity regarding the scope of the Integration Testing to include demonstrating that the components of the system interface correctly and fulfil the functions specified for them. Included requirement for the Applicant to provide the Trust Framework Accreditation Authority with evidence that demonstrated achievement of the Technical Integration requirements. Removed definitions specific to the document and added them to the TDIF: Overview and Glossary. Digital Transformation Agency Trusted Digital Identity Framework: Stakeholder and community feedback 6

2 Feedback under consideration We have also received some suggestions that we are unable to address in this TDIF component but will be considered for future versions. These include the following: Governance roles and responsibilities for the identity federation, including warranties, liability allocation and dispute resolution. The TDIF annual audit requirements. How an individual can reuse a digital identity to act on behalf of a business. Details on the implementation of biometric face-matching requirements. Alignment with private sector requirement. Digital Transformation Agency Trusted Digital Identity Framework: Stakeholder and community feedback 7

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback