ABDEGHIJKLMNOPQRSTUVWXYZAAAB
1
BE Number
Description
Automated Test Procedure
Non-automated Test ProcedureExpected ResultTest FrequencyAction upon FailureGrace PeriodRecourse after Grace PeriodNotes
2
IdP 1Operated with organizational-level authorityEmail To: SAs requesting annual attestation. Parallel but separate message to: InC Exec.Notice to new InC Exec when they initially onboardAttestation received:
1: All contacts are correct, all entity issues are being addressed.
2: ACKing your message, but we have work to do/may need your help.		YearlyTry to reach out/solve at the lowest level.
Temporary email bounce: retry.
Permanent bounce: contact organization
No bounce, no response after N tries: contact organization. SUMMARY: make deliberate attempt to contact organization and prompt response.		2 months to respond to emailService Management processEnhance existing Service Management procedures to address.
3
IdP 2Trusted enough to be used to access the organization’s own systemsInC Exec annual attestationNotice to new InC Exec when they initially onboardYearlyTry to reach out/solve at the lowest level.
Temporary email bounce: retry.
Permanent bounce: contact organization
No bounce, no response after N tries: contact organization. SUMMARY: make deliberate attempt to contact organization and prompt response.		1 month to respond to emailService Management process
4
IdP 3.1Complies with SIRTFI v1.0automate to Check Sirtfi entity attribute
Sirtfi required for all new entities; can be checked with annual Security Contact check.		self-reported or another entity reports to CTAB (incidental discovery)o email: response accepts everything we said.
o entity attribute: it is there.
o security contact: acknowledged in response to the email.		annualFailure = annual email goes without reply before the end of the email cycle period. In that case, CTAB dispute procedure process1 month to respond to emailCTAB dispute procedure processSecurity contact email (per entity) should remind them that their entity is marked Sirtfi compliant, and ask if that's still true.
21
IdP 3.2Endpoints secured with current and trustworthy transport layer encryptionScan endpoints using SSLLabs or equivalent.alternative here?SSLLabs score of A or better, or equivalent.AnnualLower than A or unscannable - reach out to operator, coordinate mitigation strategy and timeline. Mitigation should be made within 1 year.1 yearCTAB dispute procedure process
22
IdP 4Metadata is accurate and complete, including site contact information--
23
- Technical contactPeriodic email sent to contact with appropriate body and link to click.-link clickedsemi-annuallyemail to Exec & SA: might want to check up on thisN/A. Covered in annual attestation.N/A. Covered in annual attestation.
24
- Administrative contactPeriodic email sent to contact with appropriate body and link to click.-link clickedsemi-annuallyemail to Exec & SA: might want to check up on thisN/A. Covered in annual attestation.N/A. Covered in annual attestation.
25
- Security contactPeriodic email sent to contact with appropriate body and link to click.-link clickedsemi-annuallyemail to Exec & SA: might want to check up on thisN/A. Covered in annual attestation.N/A. Covered in annual attestation.
26
- Display name Parse metadata for relevant string(s).(Already done by JWK's group when IdP metadata is first created).Metadata string exists and provides reasonable display name.semi-annuallyemail to Exec & SA: might want to check up on thisN/A. Covered in annual attestation.N/A. Covered in annual attestation.
27
- Logo URLParse metadata for relevant string(s) and that it points to a url that returns a reasonable response code (e.g. 200 OK).-Metadata string exists, URL resolves, a suitably sized image resides there.semi-annuallyemail to Exec & SA: might want to check up on thisN/A. Covered in annual attestation.N/A. Covered in annual attestation.
28
- Privacy policy URLParse metadata for relevant string(s) and that it points to a url that returns a reasonable response code (e.g. 200 OK).-Metadata string exists, URL resolves, a document resides there.semi-annuallyemail to Exec & SA: might want to check up on thisN/A. Covered in annual attestation.N/A. Covered in annual attestation.
29
IdP 5Includes a current errorURLParse metadata for relevant string(s) and that it points to a url that returns a reasonable response code (e.g. 200 OK).-Metadata string exists, URL resolves, an HTML document resides there.semi-annuallyemail to Exec & SA: might want to check up on thisN/A. Covered in annual attestation.N/A. Covered in annual attestation.
30
SP 1Controls are in place to reasonably secure information and maintain user privacy.Email To: SAs requesting annual attestation. Paralell but separate message to: InC Exec.Notice to new InC Exec when they initially onboardAttestation received:
1: All contacts are correct, all entity issues are being addressed.
2: ACKing your message, but we have work to do/may need your help.		YearlyTry to reach out/solve at the lowest level.
Temporary email bounce: retry.
Permanent bounce: contact organization
No bounce, no response after N tries: contact organization. SUMMARY: make deliberate attempt to contact organization and prompt response.		2 months to respond to emailService Management process
31
SP 2Information received from IdPs is not shared with third parties without permission and is stored only when necessary for SP’s purpose.Email To: SAs requesting annual attestation. Paralell but separate message to: InC Exec.Notice to new InC Exec when they initially onboardAttestation received:
1: All contacts are correct, all entity issues are being addressed.
2: ACKing your message, but we have work to do/may need your help.		YearlyTry to reach out/solve at the lowest level.
Temporary email bounce: retry.
Permanent bounce: contact organization
No bounce, no response after N tries: contact organization. SUMMARY: make deliberate attempt to contact organization and prompt response.		2 months to respond to emailService Management processDiscuss in CTAB whether we can go beyond attestation.
32
SP 3.1The SP complies with the requirements of the REFEDS SIRTFI v1.0.automate to Check Sirtfi entity attribute
Sirtfi required for all new entities; can be checked with annual Security Contact check.		self-reported or another entity reports to CTAB (incidental discovery)o email: response accepts everything we said.
o entity attribute: it is there.
o security contact: acknowledged in response to the email.		annualFailure = annual email goes without reply before the end of the email cycle period. In that case, CTAB dispute procedure process1 month to respond to emailCTAB dispute procedure processSecurity contact email (per entity) should remind them that their entity is marked Sirtfi compliant, and ask if that's still true.
49
SP 3.2All SP service endpoints are secured with current and trustworthy transport layer encryption.Scan endpoints using SSLLabs or equivalent.alternative here?SSLLabs score of A or better, or equivalent.AnnualLower than A or unscannable - reach out to operator, coordinate mitigation strategy and timeline. Mitigation should be made within 1 year.1 yearCTAB dispute procedure process
50
SP 4The SP’s published metadata is accurate and complete: --
51
- Technical contactPeriodic email sent to contact with appropriate body and link to click.-link clickedsemi-annuallyemail to Exec & SA: might want to check up on thisN/A. Covered in annual attestation.N/A. Covered in annual attestation.
52
- Administrative contactPeriodic email sent to contact with appropriate body and link to click.-link clickedsemi-annuallyemail to Exec & SA: might want to check up on thisN/A. Covered in annual attestation.N/A. Covered in annual attestation.
53
- Security contactPeriodic email sent to contact with appropriate body and link to click.-link clickedsemi-annuallyemail to Exec & SA: might want to check up on thisN/A. Covered in annual attestation.N/A. Covered in annual attestation.
54
- Display name Parse metadata for relevant string(s).(Already done by JWK's group when IdP metadata is first created).Metadata string exists and provides reasonable display name.semi-annuallyemail to Exec & SA: might want to check up on thisN/A. Covered in annual attestation.N/A. Covered in annual attestation.
55
- Logo URLParse metadata for relevant string(s) and that it points to a url that returns a reasonable response code (e.g. 200 OK).-Metadata string exists, URL resolves, a suitably sized image resides there.semi-annuallyemail to Exec & SA: might want to check up on thisN/A. Covered in annual attestation.N/A. Covered in annual attestation.
56
- Privacy policy URLParse metadata for relevant string(s) and that it points to a url that returns a reasonable response code (e.g. 200 OK).-Metadata string exists, URL resolves, a document resides there.semi-annuallyemail to Exec & SA: might want to check up on thisN/A. Covered in annual attestation.N/A. Covered in annual attestation.
57
SP 5Unless governed by an applicable contract, attributes required to obtain service are appropriate and made known publicly.Email To: SAs requesting annual attestation. Paralell but separate message to: InC Exec.Notice to new InC Exec when they initially onboardAttestation received:
1: All contacts are correct, all entity issues are being addressed.
2: ACKing your message, but we have work to do/may need your help.		YearlyTry to reach out/solve at the lowest level.
Temporary email bounce: retry.
Permanent bounce: contact organization
No bounce, no response after N tries: contact organization. SUMMARY: make deliberate attempt to contact organization and prompt response.		2 months to respond to emailService Management processDiscuss in CTAB whether we can go beyond attestation.
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132