Page tree
  • remote Authentication/Authorization providers [RAP]
    • definition: AAI-like service providers that a DESY service trusts for validation of remote users or services for granting access to resources
    • e.e., AAI, token clients/endpoints
  • security incidents at RAPs or their downstream institutions have to be communicated without culpable delay to DESY service operators and within four hours during workdays
  • a RAP has to provide a contact address or ticket system entry point
  • if a RAP's downtime institution is compromised, the RAP is assumed to be compromised
    • if a RAP is compromised or a RAP's downstream institution is compromised, the RAP is excluded and further access is denied for all clients with credentials derived from the RAP
    • a RAP, excluded due to compromised security of itself or a downstream institution, is trusted and accepted again for authentication or authorization after the affected RAP has send to DESY service operators an acknowledgment, that the security incident has been resolved.
  • No labels