InCommon Silver

Introduction

For identity vetting and authentication of subscribers, the CILogon Silver CA relies on US research and education institutions who are members of the InCommon Federation and have been certified via the InCommon Identity Assurance Framework to operate under the InCommon Silver Identity Assurance Profile. This page contains information about the adoption of InCommon Silver related to the CILogon Silver CA.

Status

In October 2012, Virginia Tech became the first university in the country to achieve the InCommon Silver level of assurance. Adoption of InCommon Silver by additional InCommon members is underway. The current list of certified identity provider is provided at www.incommon.org/federation/info/all-idps-certified.

The CIC InCommon Silver Project is implementing InCommon Silver across the Big Ten universities plus the University of Chicago, the University of Washington, and Virginia Tech, with a target date of Fall 2011. The project issued a Phase 1 Report in July 2010. In October 2010, the CIC project established a partnership with the Southeastern Universities Research Association (SURA) and the Midā€Atlantic Crossroads (MAX) to support SURA institutions interested in implementing InCommon Silver (see: announcement). The CIC project issued a Fall 2011 Progress Report.

A January 12, 2011 InCommon Silver Workshop included updates from Michigan State, Virginia Tech, UChicago, and University of Iowa on their InCommon Silver progress.

On March 9, 2011, InCommon made available Public Review Drafts of updated (v1.1) Identity Assurance Assessment Framework (IAAF) and Identity Assurance Profiles (IAP) documents. The public comment period runs through March 28, 2011. The updates address:
  • migration from the no-longer-extant US federal government eAuthentication Credential Assessment Framework (CAF) to the Identity, Credential and Access Management (ICAM) initiative's Trust Framework Provider Adoption Process (TFPAP), and
  • comments and recommendations from early-adopter campuses.
The v1.1 update was approved by InCommon Steering in June 2011.

The InCommon Assurance Program officially launched on February 29, 2012. InCommon was officially approved as a FICAM Trust Framework Provider on that day.

We expect members of the DOE Science Identity Federation to pursue InCommon Silver accreditation. In particular the LHC Tier 1 sites in the United States (FNAL and BNL) provide accounts for many US physicists and so would be very valuable InCommon Silver identity providers for physics research.

Credential Strength

If the subscriber is authenticated to the identity provider using a password (or PIN), the InCommon Silver profile requires the password to have at least 10 bits of min-entropy, i.e., user-chosen passwords must be of at least 15 characters in length. Some InCommon members are considering using one-time password tokens or other two-factor authentication methods to meet the Silver profile's requirement for strong authentication to the identity provider. For example, the University of Minnesota is considering using their M Key tokens for InCommon Silver authentication. Virginia Tech, Indiana University, and the University of Michigan have also indicated they will achieve Silver using multi-factor authentication. Considering that two-factor authentication may be required for access to systems such as Kraken and Blue Waters, the use of two-factor authentication by campuses as part of their InCommon Silver adoption may enable CILogon Silver certificates to be used for access to these systems.

Remote Proofing

The InCommon Silver profile allows both in-person and remote proofing methods (analogous to the identity proofing methods identified for Level 2 in NIST SP 800-63). The remote proofing methods are currently a subject of active discussion, and it is not yet clear if any InCommon members will use remote proofing methods with InCommon Silver. For some discussion and materials on remote proofing/credentialing in academia, see:

References