FAL2 Compliance - Considering the processing of xAL's in this spec

[amonika230995]

The FAL specifies processing xAL's at RP end. From security perspective I feel this is a good requirement for sensitive RPs. https://pages.nist.gov/800-63-4/sp800-63c/fal/#request-xals. We should maybe specify it as a SHALL for common requirements spec.

[deansaxe]

As a WG we decided to pull in the security controls that we believe can be implemented by identity services and applications that align with FAL2. This includes issues such as no IdP initiated SSO (e.g. unsolicited assertions) and the use of unique global identifiers by apps. The WG does not intend to deliver a profile that meets or exceeds any specific NIST guidance, however, we do want to use good security guidance from NIST SP800-63.

You can find the past discussions in the IPSIE Wiki which has our meeting notes.

All of our FAL2 issues are here if you'd like to review them.

[deansaxe]

Closing with no actions to be taken.