Alternative Means for Satisfying Assurance Criteria
- Overview of Alternative Means
- Approved (and Expired) Alternative Means
- Requirements for Citing Approved Alternative Means in an IdPO Application
- Requirements for Submitting Proposed Alternative Means
- Criteria Used to Assess Alternative Means
Overview of Alternative Means
The Identity Assurance Assessment Framework and Identity Assurance Profiles define specific requirements that Identity Provider Operators must meet in order to be eligible to include InCommon Identity Assurance Qualifier(s) in identity assertions offered to service providers. In addition to the specific requirements, the documents allow for the use of equivalent or stronger methods, called alternative means, to satisfy the criteria. Examples include using other authentication technologies or encryption methodologies that are comparable or superior to the requirements stated in the specification documents.
If an Identity Provider Operator (IdPO) wishes to employ an alternative means that it has determined to be comparable or superior to IAP requirements, the IdPO must provide to InCommon a solid rationale for acceptance and comparability to the identified profile.
If approved, the alternative means will be published to the Assurance website and considered normative. If another IdPO uses one or more of the published techniques, then no request for review of approved alternative means is required, but the technique(s) must be cited in the application.
Approved Alternative Means
Below are the approved alternative means that InCommon has identified as comparable or superior to requirements in one or more Identity Assurance Profiles. They are considered normative and, once approved, part of the specification. Questions or comments can be referred to the community list assurance AT incommon.org or sent to the Assurance Advisory Committee at admin AT incommon.org.
Alternative Means Reference
Identity Assurance Profile Section(s) Addressed
Title of Alternative Means
4.2.3. Credential Technology
Alternative Means for Meeting Criteria in IAP V1.2 Section 4.2.3
A list of alternative means that have since expired is also available on the wiki.
Requirements for Citing Approved Alternative Means in an IdPO Application
When applying for certification, you must include information about alternative means you used to address the profile requirements:
- Include the name and identifier of the published alternative means.
- Cite the requirement(s) of the IAP that the alternative means is being proposed to address.
- Describe the reasons for proposing the alternative. What is the intent?
Requirements for Submitting Proposed Alternative Means
When applying for a review of proposed alternative means, the sponsoring IdPO or Community Group must develop and document a rationale that:
- Cites the requirement(s) of the IAP that the alternative means is being proposed to address.
- Describes the reasons for proposing the alternative. What is the intent?
- Describes any risks exposed by the alternative means and how they are mitigated.
- Includes specific text that IdPO management can use to assert that their implementation of the alternative means is comparable or superior to the cited IAP requirement(s) in mitigating risk.
- Includes documentation of why and how the alternative means is comparable or superior to the cited IAP requirement(s).
Alternative means may be brought for consideration in three ways:
- IdPO proposes means prior to application for certification. Develop a PDF or .doc file with the above rationale and send to admin AT incommon.org.
- IdPO proposes means at the time of application.
- Applications having an audit summary must include:
- Rationale as part of the audit summary
- The auditor’s concurrence and agreement with management’s assertion.
- For Representation of Conformance Bronze, send the rationale as a PDF or .doc file to admin AT incommon.org.
- Community group of experts from HE and Industry proposes means at any time. Send your link, PDF or .doc file with your rationale to admin AT incommon.org.
Organizations are encouraged to engage the InCommon community in discussions of potential proposals for alternative means they may submit by using the assurance AT incommon.org email list.
Criteria Used to Assess Alternative Means
Proposals for alternative means will be assessed using the following criteria:
- Are all of the cited IAP requirement(s) actually addressed by the alternative means described in the proposal?
- Does the alternative means address all of the risks addressed by the cited IAP requirement(s)?
- Does the alternative means address those risks in a manner that is comparable or superior to that specified by the cited IAP requirements?
- Does the alternative means adequately mitigate any other inherent risks?