| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision |
| en:degrees_of_reliance [2017/07/06 13:54] – Wolfgang Pempe | en:degrees_of_reliance [2017/07/06 13:59] – Wolfgang Pempe |
|---|
| **Please note that the Degree of Reliance does not necessarily refer to the complete IdM of a Home Organisation. It must be guaranteed that only those identities which conform to a certain Degree of Reliance are able to access a resource (service) requiring at least this Degree of Reliance. I.e. the Home Organisation has to make sure that only identities meeting the requirements of the Degree of Reliance "Advanced" are able to access a resource in DFN-AAI-Advanced.** | **Please note that the Degree of Reliance does not necessarily refer to the complete IdM of a Home Organisation. It must be guaranteed that only those identities which conform to a certain Degree of Reliance are able to access a resource (service) requiring at least this Degree of Reliance. I.e. the Home Organisation has to make sure that only identities meeting the requirements of the Degree of Reliance "Advanced" are able to access a resource in DFN-AAI-Advanced.** |
| |
| ===== 2 Minimal Requirements of the Different Degrees of Reliance ===== | ===== 2 Minimum Requirements of the Different Degrees of Reliance ===== |
| Besides the aspects of trustworthy server-side communication ensured by digital certificates, the degrees of reliance are determined by the following three criteria: | Besides the aspects of trustworthy server-side communication ensured by digital certificates, the degrees of reliance are determined by the following three criteria: |
| * **I:** The procedure with which the Home Organisation confirms the identity of the individual user, | * **I:** The procedure with which the Home Organisation confirms the identity of the individual user, |
| * **D:** Data management and processes implemented by the Home Organisation to maintain its members' digital identities. | * **D:** Data management and processes implemented by the Home Organisation to maintain its members' digital identities. |
| |
| The following tables determine the specific **minimal requirements** of each degree. This implies that procedures which are defined as minimum requirement of a higher degree are also acceptable for lower degrees. | The following tables determine the specific **minimum requirements** of each degree. This implies that procedures which are defined as minimum requirement of a higher degree are also acceptable for lower degrees. |
| |
| ==== 2.1 Verfahren zur Identifizierung durch die nutzende Einrichtung (I) ==== | ==== 2.1 Identification Procedure by the Home Organisation (I) ==== |
| Die nutzende Einrichtung muss ihren Nutzern eindeutige digitale Identitäten zuordnen. Dabei muss sie feststellen, um welchen Nutzer der Einrichtung es sich jeweils handelt. Hierzu sind im Rahmen der DFN-AAI mehrere Verfahren möglich. | The Home Organisation has to assign unique digital identities to their users. In this context, it must ascertain the identity of each individual user. There are several acceptable procedures within the DFN-AAI for this purpose. |
| ^ Klasse ^ Mindestanforderung ^ Bemerkung ^ | ^ Degree ^ Minimum Requirement ^ Comments ^ |
| ^ Test | Verfahren freigestellt | In dieser Klasse ist es der nutzenden Einrichtung freigestellt, wie sie die Identität ihrer Angehörigen feststellt. Diese Klasse ist ausschließlich für Testzwecke vorgesehen. | | ^ Test | any procedure | the Home Organisation may use any procedure to ascertain the identity of its users - this degree is intended for testing purposes only | |
| ^ Basic | Identifizierung anhand der Rückantwort von einer eindeutigen Adresse (z.B. eMail-Adresse, Telefonanschluss, Postanschrift) | Dieses Verfahren erlaubt eine einfache und schnelle Identifizierung, die ggf. für einige Ressourcen ausreichend ist. Bei dieser Identifizierung bleibt lediglich ungeprüft, ob sich hinter einer eindeutigen Adresse tatsächlich die vermutete Identität verbirgt. (Oder ob sich z.B. jemand anders eines Briefes an eine Postadresse bemächtigt hat.) | | ^ Basic | identification by means of a response from a unique address (e.g. email, phone number, postal address) | this procedure facilitates a quick and simple identification which may be sufficient for some resources - in this case a certain risk remains that the identity of the user could have been forged or stolen by an illegal third party | |
| ^Advanced | Identifizierung durch das persönliche Vorsprechen gegenüber einer Vertrauensinstanz mit einem amtlichen Dokument zur Identitätsfeststellung. Die an den Hochschulen etablierten Einschreibungs- und Einstellungsprozesse werden als gleichwertig akzeptiert. | Mit diesem Verfahren kann eine Identität zweifelsfrei sichergestellt werden. (Beispiele: Immatrikulation von Studierenden unter Vorlage der Hochschulberechtigung, Personalausweis, etc., Abschluss des Arbeitsvertrages mit Angestellten einer Hochschule einschließlich einer adäquaten Identitätsprüfung, persönliches Vorsprechen mit Personalausweis bei einer RA der DFN-PKI, eID-Funktion des neuen Personalausweises oder Verfahren "Post-Ident".) | | ^ Advanced | for identification, users must present themselves in person with an official ID. The enrolment and recruitment procedures established by the universities are considered as equivalent. | by means of this procedure the identity can unequivocally be ascertained (example: enrolment of students presenting a certificate of qualification for university entrance, identity card, etc., entering into an employment contract including an adequate identity check, personal presentation with an identity card at a RA of the DFN-PKI, eID function of the nPa ["neuer Personalausweis"] or the so-called "Post-Ident" procedure) | |
| |
| ==== 2.2 Verfahren zum Ausweis einer Identität (A) ==== | ==== 2.2 Verfahren zum Ausweis einer Identität (A) ==== |