BRP: Business Rules and Processes Workgroup Rule Set for EAP

1
BRP Business Rules and Processes WorkgroupRule
Set for EAP

• Feb 12 Liability is the major issue that must
  be addressed for the EAP to be
  successful
• April 8 Gain agreement on general terms through
  consideration of Terms Sheet where basic
  components are outlined at a high level

2
Framework Requirements

• Common rules and processes are needed so that RPs
  and CSPs have consistent operational model
• CSPs will have business models that may vary from
  provider to provider, including pricing and
  customer service hours
• Relying parties need clear understanding of their
  rights and processes in the event of problems and
  those must be consistent
• Accreditation rules and processes supplement the
  full rules in some places we will need to
  coordinate process and assumptions between these
  workgroups
• EAP rules do not cover the entire scope of
  identity-based transactions, therefore other
  rules sets or bi-lateral agreements may be used
  in conjunction with EAP rules
• transaction EAP authentication roles/rules
  authorization biz rqmts

3
Framework Approach

• EAP Rules are the basic rules for the
  relationship between RPs and CSPs
• CSPs may submit supplemental rules
• To cover pricing, customer service, performance
  criteria, and some aspects of dispute resolution
• These supplements must be consistent with basic
  EAP rules
• These supplements must approved by the EAP
• All RPs will have access to these rules for
  consideration before they begin accepting
  credentials

• CSP 1
• hours

CSPn
Base Rules
Rule Set

• CSP 2
• hours

4
Framework Content
5
Liability General Terms

• EAP itself is not liable under any circumstances
• Two types of recourse
• Collective Performance measures and corrective
  action
• Item by item Recourse to correct errors
• Exclusions where neither the CSP nor RP has
  broken rules of issuance or operation
• Fraud is perpetrated in order to acquire a
  credential fraudulently
• Fraud is perpetrated using a valid credential
• Incidents where in spite of rules, hack or
  attack is perpetrated upgrade in
  specifications or processes should be considered

6
Liability Terms

• Principle Liability only applies if one party
  did not abide by rules
• Performance
• All problems/errors will be reported regardless
  of liability terms or fault
• Aggregate performance monitored
• Corrective action applicable if thresholds not
  met
• Corrective program might include
• Notice and time limit to correct
• Penalties which could escalate
• CSP on probationary list
• Expulsion

7
Liability Terms

• Principle Liability only applies if one party
  did not abide by rules
• Item by item recourse
• Recourse/damages to RPs are capped at each
  assurance level
• RP option no recourse is required on some
  classes of items
• CSPs might index prices in alignment with
  exposure at each assurance level
• Recourse designed to help RPs defray cost
  required to
• Take and confirm complaint from end-user
• Unwind actions
• Correct records

8
Other items of consensus

• EAP Rules are intended to be publicly available
• EAP Credentials are intended to be re-usable
  therefore, private arrangements may exist outside
  of the EAP in some cases
• i.e., One participant is not an EAP
  member/subscriber
• No EAP governance applies in those cases
• Assurance levels will be included when the rules
  vary by assurance level
• Intellectual Property minimum IP in the EAP,
  other than a mark to indicate accreditation
• Dispute Resolution process must be
  administratively feasible