Sirtfi: a security incident response trust framework for federated identity

The Sirtfi trust framework can enable a coordinated response to a security incident in a federated context that does not depend on a centralised authority or governance structure to assign roles and responsibilities for doing so. It lists a number of good practices around Operational Security, Incident Response, Traceability and Participant Responsibilities that an entity must conform to.

Sirtfi compliance has become an essential requirement to access some research infrastructure providers such as CERN, LIGO and CIlogon and we encourage entity owners to explore adding the entity attribute to their registration with the UK federation.

Please Note: the UK federation support team do not verify Sirtfi compliance - we add the appropriate elements to the entity's metadata on request.

Prerequisites

Entity operators should be familiar with the Sirtfi v1.0 Framework before contacting the helpdesk. Additional information is on the Sirtfi wiki and REFEDS Sirtfi page.

How do I show that my entity follows Sirtfi?

• Send an email to the UK federation service desk, at service@ukfederation.org.uk requesting that the Sirtfi entity attribute be added to your entity's registration.

What must be in the request?

• The request MUST include an entityID for a registered entity (or be part of a registration request).
• The request MUST be emailed to us by an appropriate person. In the case of an existing entity, this would be the administrative contact for the entity or Management Contact for the organization. New registration requests must always come from an organization's Management Contact. (A description of the various roles is available here.)
• The request MUST include a claim that the entity has passed a self-assessment of Sirtfi v1.0
• One or more security contacts MUST be provided. These are the point of contact to request a security incident response, and can be service functions such as "Security Operations" or individuals' email addresses. If you choose a mailing list or alias, you must ensure that emails can be sent to this address from outside your organisation. These contact details are published in metadata. See the Sirtfi wiki for information on how to choose a security contact.
• Please note: if you have more than one entity for which you wish to indicate Sirtfi compliance, you MUST make a separate request for each one.

What happens next?

The UK federation support team will review your request. When we have ensured that all is in order, we will add the Sirtfi entity attribute and security contact details to your entity's registration in accordance with the Sirtfi Identity Assurance Certification Description.