national identity exchange federation (nief) trustmark policy version … · nief trustmark policy...

NationalIdentityExchangeFederation(NIEF)

TrustmarkPolicy

Version1.1

February2,2016

Copyright©2016,GeorgiaTechResearchInstitute

NIEFTrustmarkPolicy Version1.1

i

TableofContents

TABLEOFCONTENTS I

1 INTRODUCTIONANDPURPOSEOFTHISDOCUMENT 11.1 FUNDAMENTALCONCEPTS 11.1.1 TRUSTMARKFRAMEWORKCONCEPTSANDDEFINITIONS 11.1.2 THETRUSTMARKLEGALFRAMEWORK 31.2 DOCUMENTNAMEANDIDENTIFICATION 41.3 POLICYADMINISTRATION 41.3.1 ORGANIZATIONADMINISTERINGTHEDOCUMENT 41.3.2 CONTACTPERSON 51.3.3 ENTITYDETERMININGTRUSTMARKPOLICYSUITABILITY 51.3.4 TRUSTMARKPOLICYAPPROVALPROCEDURES 51.4 ACRONYMS 51.5 REFERENCES 51.6 PUBLICATIONOFTHISDOCUMENT 6

2 ROLESANDRESPONSIBILITIES 62.1 TRUSTMARKPROVIDER 62.2 TRUSTMARKRECIPIENT 72.3 TRUSTMARKRELYINGPARTY 7

3 TRUSTMARKAPPLICATION,ASSESSMENT,ANDISSUANCE 83.1 ESTABLISHMENTOFATRUSTMARKRECIPIENTIDENTIFIER 83.2 TRUSTMARKAPPLICATIONANDASSESSMENTPROCESS 93.2.1 ASSESSORQUALIFICATIONS 103.2.2 FRESHNESSOFASSESSMENTPROCESSARTIFACTSANDTRUSTMARKPERIODOFVALIDITY 103.2.3 RETENTIONOFASSESSMENTPROCESSRESULTSANDEVIDENTIARYARTIFACTS 103.2.4 PROTECTIONANDDISCLOSUREOFASSESSMENTPROCESSRESULTSANDEVIDENTIARYARTIFACTS 113.3 TRUSTMARKISSUANCE 113.3.1 SIGNINGOFTRUSTMARKSANDPROTECTIONOFTRUSTMARKSIGNINGCERTIFICATES 113.3.2 CONFORMANCEOFISSUEDTRUSTMARKSTOTRUSTMARKFRAMEWORKSPECIFICATIONS 123.3.3 USEOFIDENTIFIERSINTRUSTMARKSISSUED 123.3.4 PUBLICATIONOFTRUSTMARKSISSUED 123.3.5 PERIODOFVALIDITYFORTRUSTMARKSISSUED 133.3.6 ISSUANCEOFPROVISIONALTRUSTMARKSWITHDOCUMENTEDASSESSMENTEXCEPTIONS 13

4 THETRUSTMARKLIFECYCLE 144.1 TRUSTMARKISSUANCE 144.2 TRUSTMARKUSAGEANDTERMSOFACCEPTABLEUSE 144.2.1 TRUSTMARKVALIDITY 144.2.2 SCOPEOFTRUSTMARKAPPLICABILITY 154.2.3 BINDINGOFTRUSTMARKSTOOPERATIONALSERVICEENDPOINTS 164.3 TRUSTMARKSTATUSCHECKING 17


ii

4.4 TRUSTMARKEXPIRATION 174.5 TRUSTMARKREVOCATION 184.5.1 CONDITIONSFORREVOCATION 184.5.2 REVOCATIONPROCESS 184.5.3 NOTIFICATIONOFREVOCATIONTOTRUSTMARKRELYINGPARTIES 184.6 TRUSTMARKRENEWALANDREISSUANCE 19

5 TRUSTMARKTECHNICALSUPPORTSERVICES 19


1

1 IntroductionandPurposeofThisDocumentThis National Identity Exchange Federation Trustmark Policy (“NIEF TrustmarkPolicy”) governs the lifecycle for trustmarks issued by any Trustmark Provider that isregistered to participate in the NIEF community.1It covers the topics of trustmarkassessment, trustmark issuance, trustmark usage and reliance, trustmark expiration,trustmarkrevocation,andtrustmarkreissuanceandrenewal. ItalsocoverstherolesandresponsibilitiesofallpartiesthatenterintolegalagreementswithaTrustmarkProviderbyvirtueofhavingreceivedorreliedupononeormoretrustmarksissuedbytheTrustmarkProvider.1.1 FundamentalConceptsA trustmark is amachine-readable, cryptographically signeddigital artifact, issuedby aTrustmark Provider to a Trustmark Recipient, and relied upon by one or moreTrustmark Relying Parties. A Trustmark represents an official attestation by theTrustmark Provider of conformance by the TrustmarkRecipient to awell-defined set ofrequirements pertaining to trust and/or interoperability for the purpose of interactionwithanduseofdigitalinformationresourcesandservices.ATrustmarkRelyingPartymayrely upon a trustmark as the basis for third-party trust in theTrustmarkRecipientwithrespecttothesetofrequirementsrepresentedbythetrustmark.ATrustmarkDefinitionexpressesthespecificsetofrequirementsrepresentedbyatrustmark.ATrustmarkProviderissues,cryptographicallysigns,andpublishesvarioustrustmarksfororganizationsorbusinessentities(TrustmarkRecipients)thatwishtoobtainandusethosetrustmarks as amechanism for establishing trustwithother entities (TrustmarkRelyingParties), including partner organizations and individuals. Each of these entities relies onthe integrity of the trustmarks issued,which requires implicit reliance on the trustmarklifecyclemanagementprocess for the trustmarks.For thesereasons, theNIEFCenterhasadoptedthisNIEFTrustmarkPolicy.1.1.1 TrustmarkFrameworkConceptsandDefinitionsFigure 1 shows the Trustmark Framework Concept Map, which illustrates the basicelementsintheTrustmarkFramework.Itindicatesatahighlevelwhatatrustmarkis,howitisdefined,andhowitisused.

1ToseethelistofTrustmarkProvidersthatarecurrentlyregisteredtoparticipateintheNIEFcommunity,pleasevisithttps://nief.org/participants/trustmark-providers/.


2

Figure1:TheTrustmarkConceptMap

Thefollowingtermsandconceptsarerepresentedintheprecedingfigure.A trustmark is a machine-readable, cryptographically signed digital artifact thatrepresentsastatementofconformancetoawell-scopedsetoftrustand/orinteroperabilityrequirements.ItexistsasaneXtensibleMarkupLanguage(XML)objectandconformstoanormativespecificationasdefinedin[TFTS].Itsissuer,alsocalledtheTrustmarkProvider,cryptographicallysignsittoensureitsintegrity.ATrustmarkProviderisanorganizationorotherbusinessentitythatissuesatrustmarktoaTrustmarkRecipientbasedonaformalassessmentprocess.ThetrustmarkservesasaformalattestationbytheTrustmarkProviderthattheTrustmarkRecipientconformstoawell-definedsetofrequirements.ThetrustmarkisissuedunderaTrustmarkPolicy(notshowninfigure)andissubjecttoaTrustmarkRecipientAgreement(alsonotshowninfigure). A Trustmark Recipient is always an organization or other business entity;trustmarksarenotissuedtoindividuals.ATrustmarkDefinition specifies theconformancecriteria that theTrustmarkRecipientmustmeet, aswell as the formal assessment process that the Trustmark ProvidermustperformtoassesswhethertheTrustmarkRecipientqualifiesforthetrustmark.Therecanbemanydifferenttypesoftrustmarks,andeachtypeoftrustmarkhasitsownTrustmarkDefinition. A Trustmark Definition is also sometimes called a Trustmark ComponentDefinition.A Trustmark Definition is developed and maintained by a Trustmark DefiningOrganization,whichrepresentstheinterestsofoneormoreStakeholderCommunities.ATrustmark Defining Organization is similar in function to a Standards DevelopmentOrganization. A Trustmark Defining Organization does not play an active role in the


3

issuanceofatrustmark,anddoesnotenterintoanylegalagreementaspartoftheissuanceor use of trustmarks; its only role is to represent Stakeholder Communities and publishTrustmarkDefinitionsthatrepresenttherequirementsofthosecommunities.PossessionofaTrustmarkbytheTrustmarkRecipientisrequiredbyaTrustmarkRelyingParty, which treats the trustmark as 3rd-party-verified evidence that the TrustmarkRecipient meets the trust and/or interoperability criteria set forth in the TrustmarkDefinition for the trustmark. When it relies on a trustmark, a Trustmark Relying Partyenters into a Trustmark Relying Party Agreement (not shown in figure) with theTrustmark Provider. A Trustmark Relying Party may be either an organization or anindividual.ATrustmark Relying Party defines aTrust Interoperability Profile that expresses atrustandinteroperabilitypolicyintermsofasetoftrustmarksthataTrustmarkRecipientmustpossess,inordertomeetitstrustandinteroperabilityrequirements.1.1.2 TheTrustmarkLegalFrameworkFigure 2 illustrates theTrustmark Legal Framework. It builds upon the basic TrustmarkFramework depicted in Figure 1, adding detail about how trustmark issuance, use, andrelianceworkfromalegalperspective.

Figure2:TheTrustmarkLegalFramework

A trustmark is issued from a Trustmark Provider to a Trustmark Recipient under aTrustmarkRecipientAgreement,whichisastandardtwo-partycontractthatestablishesanexplicit legal agreement between the Trustmark Provider and Trustmark Recipient. TheTrustmarkRecipientAgreementislightweight,anditincorporatestheTrustmarkPolicyby


4

reference. The Trustmark Provider and the Trustmark Recipient both must sign theTrustmarkRecipientAgreementtoexecuteit.WhenaTrustmarkRelyingPartychoosestorelyuponatrustmark,theTrustmarkRelyingPartymustenterintoaTrustmarkRelyingPartyAgreementwiththeTrustmarkProvider.TheTrustmarkRelyingPartyAgreementisalsoatwo-partycontract;however, it isnotastandard two-partyagreement thatbothpartiesmust sign. Instead, it is a “clickwrap”or“clickthrough”agreementthatbecomeseffectivebyvirtueoftheTrustmarkRelyingPartyusingorrelyingonatrustmarkissuedbytheTrustmarkProvider.TheTrustmarkRelyingParty Agreement is also lightweight, and it too incorporates the Trustmark Policy byreference.Note, as indicatedbyFigure2, that the trustmarkobject contains references toboth theTrustmarkPolicyunderwhichitwasissuedandtheTrustmarkRelyingPartyAgreementtowhich Trustmark Relying Parties are subject if they choose to use or rely upon thetrustmark.Note also that even though the purpose of a trustmark is to provide a basis for trustbetween the Trustmark Recipient and Trustmark Relying Party, the Trustmark LegalFramework does not establish an explicit legal relationship between these two entities.Instead, the framework establishes separate explicit legal relationships between eachentityandathirdparty,theTrustmarkProvider.1.2 DocumentNameandIdentificationThenameofthisdocumentis:“NationalIdentityExchangeFederationTrustmarkPolicy”.1.3 PolicyAdministrationThissectionincludesthenameandmailingaddressoftheorganizationthatisresponsiblefor maintaining and updating this trustmark policy. It also includes the name, emailaddress,andtelephonenumberofacontactperson.1.3.1 OrganizationAdministeringtheDocumentThe NIEF Center is the administering organization for this trustmark policy. The NIEFCenter’sfullnameandmailingaddressis:

GeorgiaTechAppliedResearchCorporationNationalIdentityExchangeFederationCenterGeorgiaTechResearchInstituteInformationandCommunicationsLaboratory755thStreet,NWSuite900Atlanta,GA30308


5

1.3.2 ContactPersonThecontactpersonfortheNIEFCenteris:

JohnWandelt,NationalIdentityExchangeFederationCenterDirectorGeorgiaTechResearchInstituteInformationandCommunicationsLaboratory755thStreet,NWSuite900Atlanta,GA30308Phone:404-407-8956Email:[email protected]

1.3.3 EntityDeterminingTrustmarkPolicySuitabilityTheNIEFCenterdeterminesthesuitabilityofthistrustmarkpolicy.1.3.4 TrustmarkPolicyApprovalProceduresThistrustmarkpolicyrequiresapprovalbytheNIEFCenterDirector.1.4 AcronymsTable1containsalistofacronymsusedinthisdocumentandrelateddocuments.

Acronym MeaningHTTP HypertextTransferProtocolNIEF NationalIdentityExchangeFederationSAML SecurityAssertionMarkupLanguageSSL SecureSocketsLayerTD TrustmarkDefinitionTFTS TrustmarkFrameworkTechnicalSpecificationTLS TransportLayerSecurityTP TrustmarkProviderTPID TrustmarkProviderIdentifierTR TrustmarkRecipientTRID TrustmarkRecipientIdentifierTRP TrustmarkRelyingPartyTSR TrustmarkStatusReportURL UniformResourceLocator

Table1:AcronymsUsed1.5 ReferencesTable2containsalistofdocumentsthatpertaintothecontentsofthisdocument.


6

DocumentReferencesDocumentID DocumentNameandURLifApplicableTFTS TrustmarkFrameworkTechnicalSpecification,Version1.0

https://trustmark.gtri.gatech.edu/specifications/trustmark-framework/1.0/tfts-1.0.pdfNIEFTSCP National Identity Exchange Federation Trustmark Signing Certificate Policy,

Version1.1X509 InternetEngineeringTaskForceRequestforComments5280,“InternetX.509

Public Key Infrastructure Certificate and Certificate Revocation List (CRL)Profile”,May2008https://www.ietf.org/rfc/rfc5280.txt

Table2:DocumentReferences1.6 PublicationofThisDocumentThe NIEF Center maintains this trustmark policy at an official, publicly accessiblePublicationURL.ThePublicationURLforthisdocumentis:

https://nief.org/policies/nief-trustmark-policy-1.1.pdf2 RolesandResponsibilitiesAsintroducedpreviouslyinSections1.1,1.1.1,and1.1.2,therearethreeprimaryrolesthatvariousentitiesmayplayintheissuanceandusageofatrustmark.Thoserolesare:

• TheTrustmarkProvider,whichissuesthetrustmark;

• The Trustmark Recipient, which is the entity to which and about which thetrustmarkisissued;and

• The Trustmark Relying Party, which is the entity that uses the trustmark as the

basisformakingdecisionsaboutwhethertotrusttheTrustmarkRecipient.Thefollowingsubsectionsenumeratetheresponsibilitiesofeachoftheseroles.2.1 TrustmarkProviderThe Trustmark Provider is responsible for fulfilling the following obligations under thispolicy.

1. Establish one ormoreTrustmarkProvider Identifiers (TPIDs) in accordancewiththeTrustmarkProviderrequirementsstipulatedin[TFTS],andregisterthoseTPIDswiththeNIEFCenter.

2. Publish one ormore Trustmark Relying Party Agreements online atwell-defined,

publicly accessible locations (URLs) that correspond to the locations cited intrustmarksissued,andregisterthoselocationswiththeNIEFCenter.


7

3. PerformtrustmarkassessmentsforprospectiveTrustmarkRecipientsinaccordance

with assessment processes as specified in the appropriate Trustmark Definitions.SeeSection3.2formoreinformationaboutthetrustmarkassessmentprocess.

4. Issue trustmarksbygenerating, cryptographically signing, andpublishing themas

appropriate for Trustmark Recipients that meet the required trustmarkconformance criteria as specified by the assessment processes in the appropriateTrustmark Definitions. See Section 3.3 formore information about the trustmarkissuanceprocess.

5. Publish Trustmark Status Reports for all trustmarks issued, and update them as

required due to trustmark expiration or revocation. See Section 4.3 for moreinformationabouthowtheTrustmarkProviderpublishesTrustmarkStatusReportsfor the trustmarks that it issues. Also see Section 4.4 formore information abouttrustmark expiration, and see Section 4.5 for more information about trustmarkrevocation.

6. Provide trustmark technical support services to Trustmark Recipients and

TrustmarkRelyingPartiesonabest-effortbasis.SeeSection5formoreinformation.2.2 TrustmarkRecipientBy entering into a Trustmark Recipient Agreement with the Trustmark Provider andreceivingoneormoretrustmarksissuedbytheTrustmarkProvider,aTrustmarkRecipientisresponsibleforfulfillingthefollowingobligationsunderthispolicy.

1. Cooperate with the Trustmark Provider as required to establish a TrustmarkRecipient Identifier (TRID) (see Section 3.1) and to work through the TrustmarkApplicationandIssuanceProcess(seeSection3.2).

2. VerifythevalidityofanytrustmarkissuedbytheTrustmarkProviderpriortousing

thetrustmark,aspertheprocessdescribedinSection4.2.1.

3. Use any trustmark issuedby theTrustmarkProvideronly in accordancewith thetrustmark’sScopeofApplicability,asdescribedinSection4.2.2.

4. PromptlyreporttotheTrustmarkProvideranyconditionsthatconstitutegrounds

for revocation of any trustmark issued by the Trustmark Provider, in accordancewithSection4.5.1.

2.3 TrustmarkRelyingPartyBy using or relying upon any trustmark issued by the Trustmark Provider, a TrustmarkRelying Party automatically enters into a Trustmark Relying Party Agreement with the


8

TrustmarkProvider.Underthatagreement,theTrustmarkRelyingPartyisresponsibleforfulfillingthefollowingobligationsunderthispolicy.

1. VerifythevalidityofanytrustmarkissuedbytheTrustmarkProviderpriortousingorrelyinguponthetrustmark,aspertheprocessdescribedinSection4.2.1.

2. Use or rely upon any trustmark issued by the Trustmark Provider only in

accordancewiththetrustmark’sScopeofApplicability,asdescribedinSection4.2.2.3 TrustmarkApplication,Assessment,andIssuanceOrganizations thatwish to obtain one ormore trustmarks from the Trustmark Providermaydosobycompletingthestepsoutlinedinthesubsectionsthatfollow.3.1 EstablishmentofaTrustmarkRecipientIdentifierAs stipulated in [TFTS], before the Trustmark Provider can issue any trustmarks to aTrustmark Recipient, the Trustmark Provider and the Trustmark Recipient must agreeupon a Trustmark Recipient Identifier (TRID) that uniquely identifies the TrustmarkRecipient.TheprocessforestablishingaTRIDisasfollows.

1. TheTrustmarkRecipientshallchooseitsproposedTRIDandnotifytheTrustmarkProviderofitschoice.ThefollowingrulesandguidelinesapplytotheTRID.

a. TheproposedTRIDmustbeaURLonaDNSdomainthatisunderthecontrol

oftheTrustmarkRecipient.

b. The proposed TRID should be chosen so as to uniquely identify theTrustmark Recipient as an organization, even if the organization is adepartment,subunit,orsubsidiaryofalargerorganization.

Forexample,GeorgiaTechmightchoose“http://gatech.edu/”as itsproposedTRID. But the Georgia Tech Office of Information Technology, which is adepartment of Georgia Tech, might choose “http://oit.gatech.edu/” todistinguishitselffromitslargerparentorganization.

c. A Trustmark Recipient that plans to obtain trustmarks from multiple

TrustmarkProvidersshouldusethesameTRIDforeachTrustmarkProvider.IftheTrustmarkRecipienthasalreadyestablishedaTRIDwithoneormoreother Trustmark Providers, then it should propose to the TrustmarkProviderthesameTRIDthatitusesforitsinteractionswithoneoftheotherTrustmarkProviders.


9

2. TheTrustmarkProvidershallverifythattheTrustmarkRecipientcontrolstheURLproposed as the TRID. The following rules and guidelines apply to the TRIDverificationprocess.

a. The Trustmark Provider shall verify that the TrustmarkRecipient controls

theURLviaasimplechallenge-responseprocess,inwhich:(i)theTrustmarkProviderprovidesalongrandomnumberorotherhard-to-guessdatatotheTrustmark Recipient, (ii) the Trustmark Recipient publishes the datatemporarilyattheproposedURLorasub-pathofit,and(iii)theTrustmarkProviderperformsanHTTPrequestoftheURLtoverifythattheTrustmarkRecipientwasabletosuccessfullypublishthedataasrequired.

b. The Trustmark Provider may perform additional steps to verify that the

TrustmarkRecipienthaspositivecontroloftheURL,e.g.,verificationofDNSdomainnameregistration for theURLviaWHOIS lookup,verificationofanSSLorTLScertificatefortheproposedDNSdomainname,etc.

After the TRID establishment process is complete, the Trustmark Provider shall use theestablishedTRIDforalltrustmarksthatitissuesforandabouttheTrustmarkRecipient.3.2 TrustmarkApplicationandAssessmentProcessAtanytimeafterestablishingaTRIDwiththeTrustmarkProvider,aTrustmarkRecipientmayapplyforandundergoassessmentforoneormoretrustmarks.Toapplyforatrustmark,aTrustmarkRecipientandtheTrustmarkProvidershall followtheprocessoutlinedherein.

1. The Trustmark Recipient shall identify the appropriate Trustmark Definitiondescribingitsdesiredtrustmark.NotethattheTrustmarkProvidermaynotbeableto offer certain types of trustmarks, due to Trustmark Provider restrictionsstipulated in the Trustmark Definition. In addition, the Trustmark Provider maychoosenottooffercertaintypesoftrustmarksforbusinessreasons.

2. TheTrustmarkRecipientshallnotifytheTrustmarkProviderof itsdesiretobegin

theassessmentprocessforthedesiredtrustmark.

3. TheTrustmarkProvider shall assignoneormoreof its staffmembers toperformtheassessmentprocessforthedesiredtrustmark.

4. The Trustmark Recipient and Trustmark Provider assessors shall coordinate as

neededtocarryouttheassessmentprocessforthedesiredtrustmark,takingstepsand collecting evidentiary artifacts as stipulated in the appropriate TrustmarkDefinition.NotethattheassessmentprocessmayrequiretheTrustmarkProvidertoengageinvariousactivitieswiththirdpartiestoobtaincertaininformationaboutor


10

onbehalf of theTrustmarkRecipient. In such cases, theTrustmarkProvider shallkeeptheTrustmarkRecipientapprisedofanyactionsinvolvingthirdparties,aswellastheresultsofthoseactions.

Note that under some circumstances, it may be logistically preferable for multipletrustmark assessments for the same Trustmark Recipient to proceed concurrently. TheTrustmark Provider shall make a best effort attempt to perform such assessmentsconcurrentlywhencircumstancespermit.3.2.1 AssessorQualificationsAs stipulated in [TFTS], a TrustmarkDefinitionmay include an “AssessorQualifications”sectionthatplaceslimitationsonwhomaycarryoutthetrustmarkassessmentprocess.Insuchcases,theTrustmarkProvidershallabidebythespecifiedassessorqualificationsandassign only those staff members who meet the specified qualifications to performassessmentsforthattypeoftrustmark.IftheTrustmarkProviderdoesnothaveanystaffmembers who possess the specified qualifications for a trustmark, then the TrustmarkProvidershallnotofferthattrustmark.3.2.2 FreshnessofAssessmentProcessArtifactsandTrustmarkPeriodofValidityAs stated in Section 3.3.5, the default period of validity for any trustmark issued by theTrustmarkProvidershallbeatmostthree(3)years;however,theTrustmarkProvidermaychoose to issuea trustmarkwitha shorterperiodofvalidity ifbynotdoing so, itwouldcausethetrustmarktoremainvalidafteroneormoreevidentiaryartifactscollectedduringthattrustmark’sassessmentprocessbecometoo“stale”(i.e.,tooold)toserveasacceptableevidenceinsupportofthetrustmark.Ingeneral,theTrustmarkProvidershallnotimposeanyfreshnessrequirementsforatrustmark’sassessmentprocessartifacts,unless:

1. The Trustmark Definition for the trustmark explicitly stipulates a freshnessrequirement,or

2. Aparticularevidentiaryartifactcarriesanexpirationdate-timeafterwhichitisno

longervalid.3.2.3 RetentionofAssessmentProcessResultsandEvidentiaryArtifactsUnlessrequiredbylawtodootherwise,theTrustmarkProvidershallretainallassessmentprocessresultsandevidentiaryartifactscollectedaspartoftheassessmentprocessforanytrustmark requested by a Trustmark Recipient, regardless of whether the assessmentprocess resulted in issuance of a trustmark. If the assessment process resulted in theissuance of a trustmark, the Trustmark Provider shall retain assessment process resultsand evidentiary artifacts collected for a period of at least three (3) years following theexpiration of the trustmark. If the assessment process has begun but has not yet beencompletedandnotyetresultedintheissuanceofatrustmark,andtheTrustmarkProvider


11

hascausetobelievethattheTrustmarkRecipientisnolongerinterestedinobtainingthetrustmark,thentheTrustmarkProvidermaydeleteordestroyassessmentprocessresultsand evidentiary artifacts collected as part of the assessment process at its discretion. Inpractice,however,theTrustmarkProvidershallmakeabest-effortattempttocontacttheTrustmarkRecipient and verify that it no longerwants to obtain the trustmark prior todeleting or destroying any assessment process results or evidentiary artifacts collectedduringtheassessmentprocess.3.2.4 ProtectionandDisclosureofAssessmentProcessResultsandEvidentiaryArtifactsUnlessrequiredbylawtodootherwise,theTrustmarkProvidershallprotectandtreatasprivateandconfidentialallassessmentprocessresultsandevidentiaryartifactscollectedaspartoftheassessmentprocessforanytrustmarkrequestedbyaprospectiveTrustmarkRecipient, and shall not disclose any such information to any third party, regardless ofwhethertheassessmentprocessresultedinissuanceofatrustmark.ATrustmarkRecipientmayrequestacopyoftheassessmentprocessresultsandartifactscollectedbytheTrustmarkProvideraspartofassessmentprocessforanytrustmarkthatithas previously requested, regardless of whether the assessment process resulted inissuance of a trustmark. Any such request must be made in writing. The TrustmarkProvidershallrespondtoanysuchrequestwithin60days.3.3 TrustmarkIssuanceAsstipulated in[TFTS],everyTrustmarkDefinitionmustspecifya formalsetof IssuanceCriteria that describes what assessment process results are deemed acceptable fortrustmarkissuance.Followingthecompletionofanassessmentforarequestedtrustmark,if the assessment revealed that the Trustmark Recipient qualifies for issuance of thetrustmarkasper the IssuanceCriteria specified in theappropriateTrustmarkDefinition,theTrustmarkProvidershallissuethetrustmarkwithinthree(3)businessdays,orwithinatimeperiodthatismutuallyagreeduponbytheTrustmarkProviderandtheTrustmarkRecipient. The following subsections describe specific aspects of the trustmark issuanceprocess.3.3.1 SigningofTrustmarksandProtectionofTrustmarkSigningCertificatesEach trustmark issued by the Trustmark Provider shall be digitally signed with aTrustmarkSigningCertificate,tocryptographicallyensureitsintegrityforthebenefitoftheTrustmarkRecipientandallTrustmarkRelyingPartieswhomayrelyonthetrustmark.Toestablishandmaintainahighdegreeofconfidenceindigitalsignaturesonthetrustmarksthatitissues,theNIEFCenterhasestablishedaNIEFTrustmarkSigningCertificatePolicythatgovernsthemanagementofallTrustmarkSigningCertificatesmaintainedandusedbyTrustmark Providers that comply with the NIEF Trustmark Policy (this document). See[NIEFTSCP]formoreinformation.[NIEFTSCP]isavailableatthefollowinglocation.


12

https://nief.org/policies/nief-trustmark-signing-cp-1.1.pdfIn addition, as noted in [NIEF TSCP], the Trustmark Provider shall publish all of itsTrustmarkSigningCertificatesonlineatwell-knownlocations(URLs),anditmustregisterthoseURLswiththeNIEFCenter.3.3.2 ConformanceofIssuedTrustmarkstoTrustmarkFrameworkSpecificationsAlltrustmarksissuedbytheTrustmarkProvidershallconformtothenormativetechnicalspecificationfortrustmarksasdescribedin[TFTS].3.3.3 UseofIdentifiersinTrustmarksIssuedAsstipulatedin[TFTS],alltrustmarksmustcontainthefollowingidentifiers:

1. A Trustmark Provider Identifier (TPID) that uniquely identifies the TrustmarkProvider;

2. A Trustmark Recipient Identifier (TRID) that uniquely identifies the Trustmark

Recipient;

3. ATrustmarkIdentifierthatuniquelyidentifiesthetrustmark.Asnoted inSection2.1, aTrustmarkProvidermust establishoneormoreTPIDs.Asper[TFTS], eachTPID establishedby aTrustmarkProvidermust be aURL that is ownedorcontrolledby theTrustmarkProvider.Each trustmark issuedby theTrustmarkProvidershall contain one of the Trustmark Provider’s TPIDs, thereby identifying the TrustmarkProviderasthetrustmarkissuer.Inaddition,eachtrustmarkissuedbytheTrustmarkProvidershallcontaintheTRIDthatwas established between the Trustmark Provider and the Trustmark Recipient prior totrustmarkissuanceviatheprocessspecifiedinSection3.1.Finally, each trustmark issued by the Trustmark Provider shall contain a trustmarkidentifier that is a sub-path of one of the Trustmark Provider’s TPIDs. If any trustmarkclaimstobeissuedbytheTrustmarkProvider,butitsidentifierisnotasub-pathofoneoftheTrustmarkProvider’sTPIDs, then the trustmark is invalid, andTrustmarkRecipientsmustnotuseitandTrustmarkRelyingPartiesmustnotuseitorrelyuponit.3.3.4 PublicationofTrustmarksIssuedEach trustmark issuedby theTrustmarkProvider shallbepublishedonlineat apubliclyaccessible URL that matches the trustmark’s identifier, unless the Trustmark Recipientrequests that the trustmarknotbepublishedonline; however,TrustmarkRecipients arestronglyencouragedtopermittheTrustmarkProvidertopublishtheirtrustmarksonline,


13

asfailingtopublishatrustmarkatapubliclyaccessibleURLthatmatchesitsidentifiercanlead tonumerouspracticalchallenges forTrustmarkRelyingParties thatmayattempt torelyonthetrustmark.3.3.5 PeriodofValidityforTrustmarksIssuedBydefault,everytrustmarkissuedbytheTrustmarkProvidershallexpireafteraperiodofthree (3) years, unless theTD for that trustmark recommends ormandates an alternateperiod of validity, in which case the Trustmark Provider shall comply with the TD’srecommendationormandateasappropriate,orunlesstheTrustmarkProviderchoosestospecify a shorter period of validity due to concerns about assessment process artifactfreshnessasspecifiedinSection3.2.2.ATrustmarkRecipientwishingtoobtainatrustmarkwith a non-standard period of validity may do so by written request to the TrustmarkProviderpriortotheissuanceofthetrustmark.TheTrustmarkProviderreservestherighttodenyanysuchrequestorchooseadifferentperiodofvalidityiftherequestedalternateperiodofvalidityisdeemedtobeunacceptableforanyreason.3.3.6 IssuanceofProvisionalTrustmarkswithDocumentedAssessmentExceptionsIn some cases, and for various reasons, itmaybe desirable for a prospectiveTrustmarkRecipienttoreceiveatrustmarkwithoutmeetingalloftherequirementsforissuanceofthetrustmarkasper the IssuanceCriteria specified in theappropriateTrustmarkDefinition.Toaccommodatesuchcases,theTrustmarkProvidershallmaintainthecapabilitytoissuea Provisional Trustmark to a Trustmark Recipient when circumstances warrant it.Issuance of Provisional Trustmarks by the Trustmark Provider shall be subject to thefollowingrules.

1. The Trustmark Provider shall issue a Provisional Trustmark only undercircumstances in which the assessment process indicates that the prospectiveTrustmarkRecipient(a)meetsthemajorityoftheConformanceCriteriaasspecifiedintheappropriateTrustmarkDefinition,and(b)complieswiththeoverallspiritandintentof theTrustmarkDefinitiondespitenotexplicitly fulfilling theConformanceCriteria,asjudgedbytheassessorwhocarriedouttheassessmentprocess.

2. Each Provisional Trustmark issued by the Trustmark Provider shall contain the

following supplemental information: (a) a Boolean indicator denoting that one ormoreassessmentexceptionshavebeengrantedtotheTrustmarkRecipient,and(b)a brief description of each assessment exception granted. This information shallappearwithinthe“ProviderExtensions”elementoftheProvisionalTrustmark,andshallbeencodedinaformatthatpermitsstraightforwardmachineprocessingoftheaforementionedBooleanindicator.

3. Prior to publishing the Provisional Trustmark with the aforementioned

supplementalinformation,theTrustmarkProvidershallsecurewrittenpermissionfrom the prospective Trustmark Recipient to include this information in the


14

trustmark.IftheprospectiveTrustmarkRecipientrefusestoallowtheinclusionofthis supplemental information within the Provisional Trustmark, then theTrustmarkProvidershallnotissuetheProvisionalTrustmark.

4. EachProvisionalTrustmarkissuedbytheTrustmarkProvidershallcarryaperiod

ofvaliditynogreaterthansix(6)months.4 TheTrustmarkLifecycleAsspecified in [TFTS],aftera trustmarkhasbeen issued, italwaysexists inoneof threestatesthroughoutitslifecycle.Thosestatesare:

1. “ACTIVE”,

2. “EXPIRED”,and

3. “REVOKED”.Logically,ifatrustmarkhasbeenissued,hasnotyetexpired,andhasnotyetbeenrevoked,thenit isactive.Onceithasexpiredorbeenrevoked,atrustmarkcanneverreturntoanactivestate.Thefollowingsubsectionsdiscussthevariousstatesofthetrustmarklifecycle.4.1 TrustmarkIssuance[TFTS] specifies a set of trustmark issuance prerequisites and requirements. TheTrustmark Provider shall complywith all such trustmark issuance prerequisites, and alltrustmarks issued by the Trustmark Provider shall conform to the trustmark issuancerequirements.SeeSection3.3forinformationaboutthetrustmarkissuanceprocess.4.2 TrustmarkUsageandTermsofAcceptableUsePrior to using or relying upon a trustmark issued by the Trustmark Provider, both theTrustmarkRecipientandtheTrustmarkRelyingPartymustperformaseriesofoperationstoensurethatthetrustmark isvalidandthatthe intendedusageof itorrelianceuponitfallswithinthetrustmark’sScopeofApplicability.Sections4.2.1and4.2.2addresseachofthesetopicsinturn.Section4.2.3addressesthemoreadvancedtopicofbindingtrustmarkstoserviceendpoints.4.2.1 TrustmarkValidityVerificationof thevalidityof a trustmark issuedby theTrustmarkProvider requires thefollowingsteps.


15

1. VerificationoftheTrustmark’sDigitalSignature:Verifythatthedigitalsignature

onthetrustmarkiscryptographicallyconsistentwiththetrustmark’scontents.

2. Verificationof theTrustmarkSigningCertificate’sCommonName:Verify thatthe Trustmark Signing Certificate used to sign the trustmark contains theappropriateCommonName,asspecifiedin[NIEFTSCP].

3. Verification of the Trustmark Signing Certificate’s Status: Verify that the

Trustmark Signing Certificate used to sign the trustmark has not expired or beenrevoked.

4. Verification of the Trustmark Provider Identifier: Verify that the Trustmark

ProviderIdentifier(TPID)onthetrustmarkisconsistentwithoneoftheTrustmarkProvider’sTPIDs.

5. VerificationoftheTrustmark’sIdentifier:Verifythatthetrustmark’sidentifieris

asub-pathofoneof theTrustmarkProvider’sTPIDs.Note thatbothaTPIDandatrustmarkidentifiermustalwaysbeavalidURL.

6. VerificationofTrustmarkNon-Expiration:Verify,viatheexpirationdate-timeon

thetrustmark,thatthetrustmarkisnotyetexpired.

7. VerificationofTrustmarkNon-Revocation:Verify,throughtheTrustmarkStatusReport at the trustmark’s Status URL, that the trustmark has not been revoked.Section4.3containsmoreinformationabouttrustmarkstatuschecking.

If any of the above verification steps results in failure, then the trustmark is invalid. ATrustmark Recipient must not use an invalid trustmark or make any representationsindicatingthatthetrustmarkisvalid.Also,aTrustmarkRelyingPartymustnotuseorrelyuponaninvalidtrustmarkasthebasisformakingtrustorinteroperabilitydecisions.BoththeTrustmarkRecipientandtheTrustmarkRelyingPartyshallbearanyandall lossesorlegalconsequencesthatmayariseduetotheirfailuretocomplywiththeserequirements.4.2.2 ScopeofTrustmarkApplicabilityIn addition to verifying a trustmark’s validity, entities that use or rely upon a trustmarkissuedby theTrustmarkProvidermustrespect the trustmark’sScopeofApplicability,asfollows.

1. Verification of Proper Organizational Scope via the Trustmark RecipientIdentifier: Verify that the Trustmark Recipient Identifier (TRID)matches and/orlogicallycorrespondstoaknownURLfortheentityaboutwhichthetrustmarkwas(orisassumedtohavebeen)issued,andforwhichthetrustmarkconveystrust.Forexample, when choosing whether to trust an entity associated with the URL


16

http://example.com/,orservicesofferedatendpointsatsub-pathsorsub-domainsof example.com, the entity making the trust decision should verify that alltrustmarkstoberelieduponcontainaTRIDofhttp://example.com/orsomethingsimilar,e.g.,anappropriatesubdomainofhttp://example.com/.

2. VerificationofProperOperationalScopeviatheTrustmarkDefinition:Verify

thatthepurposeforwhichthetrustmarkwillbeused,orthepurposeforwhichitwillbereliedupon,isconsistentwiththetrustmark’smeaningandintendedusageas per its Trustmark Definition. For example, when choosing whether to trust aserviceendpointforaSAMLIdentityProvider,theentitymakingthetrustdecisionshould verify that all trustmarks to be relied upon are logically appropriate for aSAMLIdentityProviderendpoint.

If any of the above verification steps results in failure, then the intended usage of thetrustmark is outside its Scope of Applicability. A Trustmark Recipient must not use atrustmark,andaTrustmarkRelyingPartymustnotuseorrelyuponatrustmark,exceptinaccordancewiththetrustmark’sScopeofApplicability.BoththeTrustmarkRecipientandtheTrustmarkRelyingPartyshallbearanyandall lossesor legalconsequencesthatmayariseduetotheirfailuretocomplywiththeserequirements.4.2.3 BindingofTrustmarkstoOperationalServiceEndpointsWhileitispossibletouseandrelyuponatrustmarkinavarietyofways,onecommonwaytouseatrustmarkistobindittooneormoreserviceendpointsoperatedbytheTrustmarkRecipient.Bindingoftrustmarkstoserviceendpointsmaybeperformedbyvarioustypesof entities, including the Trustmark Recipient itself, a federation operator, or a registryoperator.Thebindingoftrustmarkstoaserviceendpointenablesusersoftheendpointtomake trust and interoperability decisions about the endpoint based on the trustmarksboundtoit.Accordingly,theTrustmarkProviderpermitsthetrustmarksthatitissuestobeboundtoserviceendpoints,underthefollowingconditions.

1. The binding must fall within the trustmark’s Scope of Applicability (see Section4.2.2).

2. Any entity that binds a trustmark to a service endpoint shall be considered a

TrustmarkRelyingParty,andissubjecttotheTrustmarkRelyingPartyAgreementassociated with the trustmark for the duration of the trustmark’s binding to theserviceendpoint.

3. If an entity chooses to rely upon a trustmark for the purpose ofmaking trust or

interoperabilitydecisionsaboutaserviceendpointtowhichthetrustmarkisbound,theninadditiontoactingasaTrustmarkRelyingPartyforthetrustmark,thatentityisalsoresponsible forperforminganynecessaryduediligence toconfirmthat thebindingofthetrustmarktotheserviceendpointfallswithinthetrustmark’sScopeofApplicability.


17

4.3 TrustmarkStatusCheckingInaccordancewith[TFTS],foreachtrustmarkthatitissues,theTrustmarkProvidershallpublishaTrustmarkStatusReportatapubliclyaccessibleURLthatmatchestheStatusURLfieldinthetrustmark.TheTrustmarkStatusReportshallindicatewhetherthetrustmarkisstillactive,expired,orrevoked.TheStatusURLforalltrustmarksissuedbytheTrustmarkProvidershallbeasub-pathofone of the Trustmark Provider’s TPIDs. If any trustmark claims to be issued by theTrustmarkProvider,butitsStatusURLisnotasub-pathofoneoftheTrustmarkProvider’sTPIDs,thenthetrustmarkisinvalid,andTrustmarkRelyingPartiesmustnotuseitorrelyuponit.Ifatrustmarkexpiresorbecomesrevoked,andanothertrustmarkorsetoftrustmarkshasbeenissuedbytheTrustmarkProvidertosupersedetheexpiredorrevokedtrustmark,theTrustmark Status Report for the expired or revoked trustmark shall indicate thesuperseding trustmark(s) via the one or more “Superseder” fields, in accordance with[TFTS]. Indication of superseding trustmarks can be useful for continuity of trustmark-basedtrustincaseswhereaTrustmarkRelyingPartywasnotpreviouslyawareofachangein the status of a trustmark, e.g., if a trustmark has been revoked and subsequentlyreplacedwithanewtrustmarkthatconveysthesamemeaningastherevokedtrustmark.A Trustmark Relying Party for the trustmark may query the trustmark’s Status URL asneeded to check whether the trustmark’s status has changed. When querying thetrustmark’s StatusURL, a TrustmarkRelying Party should verify that the TLS certificateusedtoprotecttheStatusURLisvalidandnotrevoked.2TheTrustmarkProvidershalluseonlyTLScertificatesissuedbyCertificateAuthoritiesthatappearinpopularwebbrowsers,or Certificate Authorities that have a chain of trust to other Certificate Authorities thatappear in popular web browsers. Trustmark Relying Parties can therefore perform TLScertificate verification using standard Public Key Infrastructure trust chain verificationtechniques.4.4 TrustmarkExpirationInaccordancewith[TFTS],everytrustmarkissuedbytheTrustmarkProvidershallspecifyits expiration date-time. A trustmark expires immediatelywhen its expiration date-timehaspassed.Afterthetrustmarkhasexpired,theTrustmarkProvidershallnolongerupholdor stand by any promises, representations, or warranties made in connection with theissuanceofthetrustmark.

2TLScertificatestatuscheckingisrecommendedforadditionalsecurity,becausetheTrustmarkProviderisnotrequiredtoattachdigitalsignaturestotheTrustmarkStatusReportsthatitpublishes.


18

4.5 TrustmarkRevocationByrevokingatrustmark,theTrustmarkProvideriseffectivelyindicatingtotheTrustmarkRecipientandallTrustmarkRelyingPartiesthatthetrustmarkisnolongervalidforsomereason. The following subsections describe how trustmark revocation works fortrustmarksissuedbytheTrustmarkProvider.4.5.1 ConditionsforRevocationAsspecifiedin[TFTS],ifatanytimefollowingtheissuanceofatrustmarkandpriortothetrustmark’s expiration, theTrustmarkRecipientno longer complieswithoneormoreoftheconformancecriteriaspecifiedforthetrustmarkbyitsTrustmarkDefinition,thenthetrustmark shall be immediately considered invalid andmust be revoked. TheTrustmarkRecipientmustnotifytheTrustmarkProviderimmediatelyuponlearningofanyconditionsthat invalidate the trustmark. In the event that the Trustmark Recipient fails toimmediatelynotifytheTrustmarkProviderofanysuchcondition,theTrustmarkRecipientshallbearthelegalconsequencesofthisfailure.Inaddition,ifatanytimefollowingtheissuanceofatrustmarkandpriortothetrustmark’sexpiration, any of the trustmark’s Trustmark Revocation Criteria aremet, the trustmarkshall be immediately considered invalid and must be revoked. Trustmark RevocationCriteriaareanoptionalcomponentofaTrustmarkDefinition,asspecified in [TFTS].TheTrustmarkRecipientmustnotifytheTrustmarkProvider immediatelyupon learningthatany Trustmark Revocation Criteria have been met. In the event that the TrustmarkRecipient fails to immediately notify the Trustmark Provider of any such condition, theTrustmarkRecipientshallbearthelegalconsequencesofthisfailure.Finally, if at any time following the issuanceof a trustmark andprior to the trustmark’sexpiration, theTrustmarkRecipientAgreementbetween theTrustmarkProviderand theTrustmarkRecipientbecomesvoidforanyreason,thenthetrustmarkshallbeimmediatelyconsideredinvalidandmustberevoked.Intheeventofatrustmarkrevocation,theTrustmarkRecipientmayseekissuanceofanewtrustmarkinplaceoftherevokedtrustmarkbyfirstremedyingtheviolatedconformancecriteria,andthenundergoinganewassessmentprocessasspecifiedinSection4.6.4.5.2 RevocationProcessUpon learning thata trustmarkhasbecome invalid, theTrustmarkProvider shall revokethe trustmarkwithin24hours. TheTrustmarkProvider shall perform the revocationbyupdatingtheTrustmarkStatusReportfortherevokedtrustmarkasappropriatetoindicatethatthetrustmarkhasbeenrevoked.4.5.3 NotificationofRevocationtoTrustmarkRelyingParties


19

UponrevocationofatrustmarkbytheTrustmarkProvider,theTrustmarkRecipientmustimmediately discontinue the use of the trustmark. In addition, the Trustmark Recipientshould immediately notify any Trustmark Relying Party that relies upon the revokedtrustmark,andTrustmarkRecipientmustmakeabest-effortattempttoavoidengaginginanybusinesstransactionswithaTrustmarkRelyingPartythatisrelyingupontherevokedtrustmark.TheTrustmarkProviderisnotresponsibleforanydamagesthatmayresultfromtheuseorreliance upon a revoked trustmark. Also, because the Trustmark Provider cannot knowwithcertaintyallTrustmarkRelyingParties fora trustmarkthat it issues, theTrustmarkProvider is not responsible for notifying Trustmark Relying Parties of a trustmarkrevocationevent,otherthanviatherevocationprocessdescribedinSection4.5.2.4.6 TrustmarkRenewalandReissuanceThe trustmark lifecycle process does not permit for the renewal or reissuance oftrustmarksthathaveexpiredorbeenrevoked.ATrustmarkRecipientmayseekissuanceofanewtrustmarkinplaceofanexpiredorrevokedtrustmark;however,issuanceofanewtrustmark requires a new assessment as per the assessment process specified in theappropriate Trustmark Definition. Note that, if not explicitly prohibited under theappropriateTrustmarkDefinitionand ifdeemedappropriateby theTrustmarkProvider,the Trustmark Provider may leverage artifacts collected during a prior trustmarkassessmentwhenperforminganewassessmentforthesametypeoftrustmark.5 TrustmarkTechnicalSupportServicesThe Trustmark Provider shall provide at least a minimum level of basic, best-efforttechnicalsupporttoTrustmarkRecipientsandTrustmarkRelyingPartiesthatwanttouseorrelyuponthetrustmarksthatithasissued.

national identity exchange federation (nief) trustmark policy version … · nief trustmark policy...

Documents