How important it is for you that...

Identity concept

• account belongs to an individual
• and s/he is traceable (i.e. the home organization knows and can reach him/her)
• and Home Organisation is willing to penalize him/her
• that you (as an SP community) can block him/her from the service

• user identifiers are persistent and not reassigned
• user identifiers are shared (i.e. not pairwise/targeted)

Initial proof of identity

• the home organization has a documented identity vetting process
• the identity vetting process is f2f or equivalent

On-line authentication

• passwords
• passwords with quality quarantees? (What?)
• two factor authentication

Would you like to use step-up authentication as a service?

• if it costs you money
• if it costs you work (operating a registration authority)

Freshness of user data

• accounts are closed as an individual departs? How promptly?
• edupersonaffiliation is updated as an individual departs? How promptly?

Provenance of the identity and authentication

• Is it enough that the Home Organisation self-asserts the above?
• plus someone who has some enforcement rights (e.g. can remove “compliant” tag from the HO)
• also internal audits needed?
• also external audits needed

---

Do we want to mix these things here

• attribute population; which attributes the Home Organisation populates for users
• attribute release; which attributes the Home Organisation is willing to release