Security Incident Response Trust Framework for Federal Identity
Right now there are 130 different federal identities supporting SIRTFI
The danger of a federation as access method.
Survey/outreach to federations Learn status and how to help them adopt.
Tooling Response support platform.
Lookout notify SIRTIFI
Federal Security Incident Framework in which Participants, Federations Operators, and eduGain Operator coordinate response to a security incident.
Security Incident response Plan for response Operator Template starting point to help R&E Federations establish security procedures.
Incorporate research CIs into above Sirtfi Security incident response procedures and tooling should suitably integrate with research CIs.
FSIRP declare procedures to eduGain support
If someone reaches out to you and if you are certified you need to do your best to resolve the problem.
The other option is just to report it.
This should not end up keeping logs about any transaction, the only thing that certifies is support from minimizing the data.
Responsibility of an IdP is to keep some amount of log for a certain time and response in a specific timeframe.
Relevant system generated information, including accurate timestamps and identifiers of system components and actors, retained and available for use security incident response procedures.
The biggest problem is keeping logs it needs to be kept but it represents a big liability.
The problem is if don't keep the logs and need to notify people at some point about their account we are going to notify way more people than needed in this case .
Response support platform - it would be very helpful to have a standard way of communicating, the structure of what is being sent some kind of format how that information is being passed. Scheme for certain kind of messages.
Don't bother with IdP tooling it's a distraction maybe misleading as a false requirement for SIRTIFI.
The more centralized it can be done the more successful it will be.
Tool - nonfederated SIRTIFI - tag metadata registration.
Work plan ahead
What events should we aim to participate in?
Identity what notification groups should be automatically maintained.
Guidelines for conditions in which to notify who
Table top exerciseThere needs to be an organization fulfilling a coordinating role. Perhaps this should be at eduGAIN. This function should be set up from the start.
Discussion of use of / implementation of ID event draft / automation as a part of this framework: https://tools.ietf.org/html/draft-ietf-secevent-token-00
-Distributed, whereas Confirm thought hubs were the way to do this