Further Risk Assessment

Participants in the Federation place a certain amount of trust in the Federation Organization to perform correctly and reliably the support functions that it provides. In addition, Participants place a great deal of trust in each other as the source of attribute information or as a trusted recipient of subject information. In some cases, mitigation of Participant-to-Participant risk will require explicit agreements or contracts. The discussion below highlights some of the ways in which operation of the Federation might incur risk to Participants and what measures might be taken to mitigate those risks.

1.      Participant Organizations

The Federation depends upon organizations to identify individuals who are empowered to represent the legal and business interests of the organization. The signatory to the Participant Agreement is assumed to be such a person, and the Federation assumes that this signatory can represent and delegate the management of identity and resource services to executives, administrators, and technicians within the same organization.

Vetting of these relationships is based on the independent discovery of open directories and direct telephone contact.

If a Participant somehow provides incorrect information to the Federation, and another Participant relies on that information, (e.g., the commitment to abide by Federation rules and the Participant Agreement) and something goes wrong, the relying party may not be able to recover damages.

2.      Metadata

Participants provide their own metadata to the Federation, but the Federation must aggregate that information and provide it reliably and accurately to all other Participants.There is a very small and remote chance that such information might become corrupted or misplaced in the process of relaying it to Federation Participants. This might result in the inability of a potential user to be redirected to an appropriate identity management system or registered service. Distribution of revised metadata might be delayed or even mis-configured. This would cause temporary loss of functionality for the affected Participant. If a participant's certificate was compromised and listed in the metadata, or the wrong key was listed for a participant's system, potential exposures could occur.

3.      The InCommon WAYF

The InCommon WAYF is a component of the Shibboleth service offering

that some Resource Providers require for proper operation in order that

users may select which Identity Provider they wish to use. It has been designed for high availability, but its database might be accidentally corrupted or inconsistent among the redundant platforms. This would cause temporary inconvenience for users who might not be able to find their Identity/Credential Provider or might be redirected to an incorrect Identity/Credential Provider.

4.      Changes in the FOPP or in Participants' POPs

The Federation Operational Practices and Practices statement and the Participant Operational Practices statements form the basis, in part, of trust among Federation Participants. The Federation has a critical role in ensuring that the FOPP is current and that Participant POPs are available to all Participants. Failure to do so might inadvertently cause a relying party to make a decision about trust in another party that it would not have otherwise made. Each Federation Participant is responsible for keeping its own POP current.

Great care has gone into the development and implementation of the operational processes which are described in the technical documents (available on the InCommon website). However, a number of functions of the initial Federation may not be as robust as some potential applications require. The Federation is committed to improving all of its services to Participants as it learns more about the actual operation and needs of the Federation.

(last revised 15 February 2007)