In the context of this chapter, a
policy is a published statement describing any or all of infrastructure, community, participants, methods, obligations, requirements, jurisdictions, etc., sufficient for a participant to determine the trustworthiness of the publisher. For example, a federation of identity providers (a special case of the hub in section 3) may have a
policy that all users shall have individual identity tokens (i.e. tokens must not be shared.) Some identity providers (i.e. token issuers) within the federation may further require that the tokens carry a reasonable resemblance of the token owner’s name. The
policy of the federation, and possibly the individual providers, should be sufficient for a resource provider to determine the LoA (see above) of the federation and whether it is sufficient; possibly they will accept tokens only from the providers that issue named tokens. Of course, it is necessary that a participant with a
policy follow the
policy – an audit may be required to assuage the resource provider.
Learn more in:
Security and Trust in a Global Research Infrastructure