By Mikkel Hald, 14/12/23
REFEDS Assurance Framwork (“RAF”) – the international standard for assurance levels of digital identities in research and education – has been notoriously difficult to implement for the user organisations (the universities etc.). That is due to the standard not having been readable as a self-contained document, but rather having defined many of its elements in terms of other standards – which implementors have then had to consult to be able to complete implementing RAF.
REFEDS has listened to the criticism – and long been working to edit the standard into a self-contained and thus far more easy to use document. This version of RAF is ready now and can be seen here.
Being self-contained remains the chief difference between the first and second editions of the framework – and no other documents are needed to understand and implement the standard's requirements in its most recent formulation. But other than that, a few of the framework's definitions have in fact been changed too – in particular the definition of those values expressing the extent to which the user organisation has made sure the digital identity has been handed to the intended physical person. To signal to the service providers how these values (the IAP values) are to be interpreted, the user organisation must (in the eduPersonAssurance attribute) supply the value https://refeds.org/assurance/version/2 in the cases where the user's RAF values are to be interpreted in accordance with the second edition of the standard.
User organisations that have already implemented RAF according to the first version of the framework don't need to change anything; only they might consider adopting the new definitions of the IAP values. But user organisations that haven't implemented RAF yet should see a much easier process doing so when basing the effort on the standard's second version.