This project investigates current and future needs among UK research and education community for a more fine-grained authorisation scheme that would allow service providers to take into account of the levels of confidence in identifying a remote entity requesting for service access.

e-Infrastructure Security Levels of Assurance

Overview

This project (ES-LoA) investigates current and future needs among UKresearch and education community for a more fine-grained authorisation scheme that would allow service providers to take into account of the levels of confidence in identifying a remote entity requesting for service access. Such a fine-grained authorisation scheme is attractive to service providers offering resources with varying levels of sensitivity and/or wishing to tailor their security protections based upon risk levels. Service providers may wish to restrict access to more sensitive resources only to those who have gone through a more stringent authentication process

Aims and objectives 

  • To investigate existing definitions of LoA at the international level
  • To build community consensus and make proposals with regard to standard definitions of LoA for use within the UKHE sector
  • To examine the current applications of LoA to various types of resources
  • To make recommendations for appropriate policies and practices through building community consensus, in using the appropriate LoA as defined by the worth and sensitivity of the resources
  • To identify any gaps in existing authentication and authorization policies, procedures and infrastructure structure and processes in the use of LoA in long term in the UK education and research community

Project methodology

Tasks 1 and 2, largely undertaken by Aleksandra Nenadic, are to investigate existing definitions of LoA and to build community consensus and make proposals with regard to standard definitions of LoA for use within the UK JISC community. Tasks 3 and 4, jointly undertaken by Michael Jones and Terry Morrow, focus on examining the current applications of LoA to various resources and making recommendations for appropriate policies and practices for UK services and institutions, through building community consensus, in using the appropriate LoA as defined by the worth and sensitivity of the resources. Finally, task 5 will be undertaken by all the researchers.

Anticipated outputs and outcomes

  • D1: A full review and investigation of current definitions of LoA at both national and international levels.
  • D2: Recommendations for follow-on work on LoA.
  • D3: A full review of current applications of LoA.
  • D4: A defined set of LoA recommendations for use within the UKeducation and research communities.
  • D5: Recommendations and exemplars with regard to the applications of LoA.
  • D6:  Final report consisted of two parts – Defining Level of Assurance and Applying Level of Assurance.

Expected outcomes include strengthening our international standing in developing e-Infrastructure security, and raising community’s awareness on the definition and applications of LoA.

Technology and Standards used

  • Electronic Authentication Guideline – NIST Special Publication 800-63, Version 1.0.2.
  • E-Authentication Guidance for Federal agencies - OMB Memorandum M-04-04.
  • Registration and Authentication - e-Government Strategy Framework Policy and Guidelines, Version 3.0.
  • e-Government Authentication Framework, Version 1.0.
  • Shibboleth, Version 1.2, and Version 1.3.
Lead institution

Project Staff

Project Manager  
  • Ning Zhang, University of Manchester, School of Computer Science, Tel: (+44) (0161) 275 611, Fax: (+44) (0161) 275 6204  ning.zhang@manchester.ac.uk
Project Team

Documents & Multimedia

Email this page Bookmark or share this pageBookmark & share this page
Summary
Start date
1 November 2006
End date
31 October 2007
Funding programme
e-Infrastructure Programme
Project website
Committees
Topic