1. https://aarc-project.eu Authentication and Authorisation for Research and Collaboration David Kelsey AARC AHM Utrecht NA3 Task 4 – Scalable Policy Negotiation SP/IdP Proxies and Policy Trust Framework 26 May 2016 STFC-RAL

2. https://aarc-project.eu 2 Flow of attributes and trust – via SP/IdP Proxy Picture from Ann Harding (SWITCH) Attribute flow Trust flow

3. https://aarc-project.eu A framework which binds all IdPs, SPs and AAs together (within the Research Community) Enable the ID federations to trust the Proxy (and hence its community behind) To allow, encourage the release of attributes The federations only see the one Proxy as an SP Q: Why should the federations trust the Proxy? A: the Proxy needs to assert categories and assurance marks R&S Sirtfi Data Protection (CoCo) Develop a new assurance mark “This is a trust-worthy Proxy” And all SPs and AAs in the community are bound by a policy framework (but not registered in a federation) Allow downstream services to trust the Proxy Is this yet another assurance flag to be set in metadata? 3 Policy and Trust Framework – requirements and proposal

4. https://aarc-project.eu A Trust Framework for Security Collaboration among Infrastructures Http://pos.sissa.it/archive/conferences/179/011/ISGC%202013_011.pdf EGI, HBP, PRACE, EUDAT, CHAIN, WLCG and XSEDE Defined a policy framework build trust and develop policy standards for collaboration on operational security Was also used as basis for Sirtfi Sections in document Operational Security Incident Response Traceability Responsibilities of Users, Communities and Service Providers Legal issues, liability and management Data Protection 4 Build on earlier work of Security for Collaborating Infrastructures (SCI)

5. https://aarc-project.eu Start from SCI document (CC BY-NC-SA) Add new policy requirements E.g. behaviour of the Proxy and AA Remove topics not needed Reword existing topics to meet our needs Team already formed: Dave Kelsey, Mikael Linden, Ian Neilson, Hannah Short, Uros Stevanovic (and David Groep as WP leader) More welcome SCIV2-WG now active in WISE Can we merge SCI version 2, Sirtfi and this new framework? https://wiki.geant.org/display/WISE/SCIV2-WG 5 Build a new Trust and Policy Framework

6. https://aarc-project.eu Security Networked-Community Trust-framework for Federated Identity Snctfi Sanctify - meaning: make legitimate or binding Synonyms for sanctify: Approve, endorse, permit, allow, authorise, legitimise, “free from sin” 6 Name? A proposal

7. https://aarc-project.eu Data Protection Federations need to trust the Proxy and downstream community SPs to handle personal data correctly See next talk by Ian Neilson 7 One very important component of the Framework

8. https://aarc-project.eu Thank you Any Questions? © GÉANT on behalf of the AARC project. The work leading to these results has received funding from the European Union’s Horizon 2020 research and innovation programme under Grant Agreement No. 653965 (AARC). https://aarc-project.eu david.kelsey@stfc.ac.uk 8