- remote Authentication/Authorization providers [RAP]
- definition: AAI-like service providers that a DESY service trusts for validation of remote users or services for granting access to resources
- e.e., AAI, token clients/endpoints
- security incidents at RAPs or their downstream institutions have to be communicated without culpable delay to DESY service operators and within four hours during workdays
- a RAP has to provide a contact address or ticket system entry point
- if a RAP's downtime institution is compromised, the RAP is assumed to be compromised
- if a RAP is compromised or a RAP's downstream institution is compromised, the RAP is excluded and further access is denied for all clients with credentials derived from the RAP
- a RAP, excluded due to compromised security of itself or a downstream institution, is trusted and accepted again for authentication or authorization after the affected RAP has send to DESY service operators an acknowledgment, that the security incident has been resolved.