As the very first move forward with security arrangement we need to establish proper communication channels with the eduGAIN participants. As agreed by the eduGAIN Steering Committee, we will require that Federations provide their security contacts and make them available for security matters in eduGAIN. We'll continue further with policies and procedures, however in this phase we only aim at very light and flexible arrangement to prove the essential security baseline. We have re-used SIRFTI requirements as much as possible.

The security contact shall respect the following base requirements:

  1. It is recommended to use a dedicated email address for the security contact, personal email addresses are discouraged.
  2. You are encouraged to provide a URL pointing to your incident handling process if available.
  3. Where possible, use the NREN's security function (local CERT/CSIRT). We will also accept specific security capability for the federation service, if the organization has a proper procedure to deal with the communication.
  4. In case of federated security incident possibly related to eduGAIN entities, notify the [eduGAIN-CSIRT] as required by the eduGAIN Incident Security Response Handbook [eduGAIN-SIRH]. 

  5. Respond to requests for assistance with a security incident from the eduGAIN CSIRT or other eduGAIN Participants in a timely manner. The recommended response time is half business day.

  6. Respect the Traffic Light Protocol [TLP] information disclosure policy and use it during incident response communications (ref. https://www.first.org/tlp).

  7. The contact needs to expect that the eduGAIN CSIRT runs periodic communication checks which need to be handled as any other incident response communication.

TODO: add how to update the information (solicited and unsolicited).

[eduGAIN-CSIRT] https://edugain.org/edugain-security/

[eduGAIN-SIRH] https://wiki.refeds.org/download/attachments/44958353/eduGAIN%20Security%20Incident%20Response%20Handbook%20v1.0.pdf

  • No labels