<!DOCTYPE html>
<!-- saved from url=(0121)https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html -->
<html lang="en" class="Internet-Draft"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta content="Common,Latin" name="scripts">
<meta content="initial-scale=1.0" name="viewport">
<title>IPSIE Common Requirements Profile</title>
<meta content="Dean H. Saxe" name="author">
<meta content="
The IPSIE Common Requirements Profile is a profile of multiple common security requirements that are applicable to all IPSIE levels (SL* and IL*) and protocols. These common requirements are intended to meet the security and interoperability requirements of enterprise using one or more IPSIE profiles.
" name="description">
<meta content="xml2rfc 3.29.0" name="generator">
<meta content="openid" name="keyword">
<meta content="ipsie" name="keyword">
<meta content="draft-saxe-ipsie-common-requirements-profile-latest" name="ietf.draft">
<!-- Generator version information:
xml2rfc 3.29.0
Python 3.12.11
ConfigArgParse 1.7
google-i18n-address 3.1.1
intervaltree 3.1.0
Jinja2 3.1.6
lxml 5.3.1
platformdirs 4.3.8
pycountry 24.6.1
PyYAML 6.0.2
requests 2.32.4
setuptools 80.9.0
wcwidth 0.2.13
-->
<link href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.xml" rel="alternate" type="application/rfc+xml">
<link href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#copyright" rel="license">
<style type="text/css">@font-face {
font-family: 'Lora';
font-style: italic;
font-weight: 400;
font-display: swap;
src: local('Lora Italic'), local('Lora-Italic'), url('https://martinthomson.github.io/rfc-css/fonts/lora-italic-cyrillic-ext.woff2') format('woff2');
unicode-range: U+0460-052F, U+1C80-1C88, U+20B4, U+2DE0-2DFF, U+A640-A69F, U+FE2E-FE2F;
}
@font-face {
font-family: 'Lora';
font-style: italic;
font-weight: 400;
font-display: swap;
src: local('Lora Italic'), local('Lora-Italic'), url('https://martinthomson.github.io/rfc-css/fonts/lora-italic-cyrillic-ext.woff2') format('woff2');
unicode-range: U+0400-045F, U+0490-0491, U+04B0-04B1, U+2116;
}
@font-face {
font-family: 'Lora';
font-style: italic;
font-weight: 400;
font-display: swap;
src: local('Lora Italic'), local('Lora-Italic'), url('https://martinthomson.github.io/rfc-css/fonts/lora-italic-vietnamese.woff2') format('woff2');
unicode-range: U+0102-0103, U+0110-0111, U+1EA0-1EF9, U+20AB;
}
@font-face {
font-family: 'Lora';
font-style: italic;
font-weight: 400;
font-display: swap;
src: local('Lora Italic'), local('Lora-Italic'), url('https://martinthomson.github.io/rfc-css/fonts/lora-italic-latin-ext.woff2') format('woff2');
unicode-range: U+0100-024F, U+0259, U+1E00-1EFF, U+2020, U+20A0-20AB, U+20AD-20CF, U+2113, U+2C60-2C7F, U+A720-A7FF;
}
@font-face {
font-family: 'Lora';
font-style: italic;
font-weight: 400;
font-display: swap;
src: local('Lora Italic'), local('Lora-Italic'), url('https://martinthomson.github.io/rfc-css/fonts/lora-italic-latin.woff2') format('woff2');
unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;
}
@font-face {
font-family: 'Lora';
font-style: normal;
font-weight: 400;
font-display: swap;
src: local('Lora Regular'), local('Lora-Regular'), url('https://martinthomson.github.io/rfc-css/fonts/lora-regular-cyrillic-ext.woff2') format('woff2');
unicode-range: U+0460-052F, U+1C80-1C88, U+20B4, U+2DE0-2DFF, U+A640-A69F, U+FE2E-FE2F;
}
@font-face {
font-family: 'Lora';
font-style: normal;
font-weight: 400;
font-display: swap;
src: local('Lora Regular'), local('Lora-Regular'), url('https://martinthomson.github.io/rfc-css/fonts/lora-regular-cyrillic.woff2') format('woff2');
unicode-range: U+0400-045F, U+0490-0491, U+04B0-04B1, U+2116;
}
@font-face {
font-family: 'Lora';
font-style: normal;
font-weight: 400;
font-display: swap;
src: local('Lora Regular'), local('Lora-Regular'), url('https://martinthomson.github.io/rfc-css/fonts/lora-regular-vietnamese.woff2') format('woff2');
unicode-range: U+0102-0103, U+0110-0111, U+1EA0-1EF9, U+20AB;
}
@font-face {
font-family: 'Lora';
font-style: normal;
font-weight: 400;
font-display: swap;
src: local('Lora Regular'), local('Lora-Regular'), url('https://martinthomson.github.io/rfc-css/fonts/lora-regular-latin-ext.woff2') format('woff2');
unicode-range: U+0100-024F, U+0259, U+1E00-1EFF, U+2020, U+20A0-20AB, U+20AD-20CF, U+2113, U+2C60-2C7F, U+A720-A7FF;
}
@font-face {
font-family: 'Lora';
font-style: normal;
font-weight: 400;
font-display: swap;
src: local('Lora Regular'), local('Lora-Regular'), url('https://martinthomson.github.io/rfc-css/fonts/lora-regular-latin.woff2') format('woff2');
unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;
}
@font-face {
font-family: 'Lora';
font-style: normal;
font-weight: 700;
font-display: swap;
src: local('Lora Bold'), local('Lora-Bold'), url('https://martinthomson.github.io/rfc-css/fonts/lora-bold-cyrillic-ext.woff2') format('woff2');
unicode-range: U+0460-052F, U+1C80-1C88, U+20B4, U+2DE0-2DFF, U+A640-A69F, U+FE2E-FE2F;
}
@font-face {
font-family: 'Lora';
font-style: normal;
font-weight: 700;
font-display: swap;
src: local('Lora Bold'), local('Lora-Bold'), url('https://martinthomson.github.io/rfc-css/fonts/lora-bold-cyrillic.woff2') format('woff2');
unicode-range: U+0400-045F, U+0490-0491, U+04B0-04B1, U+2116;
}
@font-face {
font-family: 'Lora';
font-style: normal;
font-weight: 700;
font-display: swap;
src: local('Lora Bold'), local('Lora-Bold'), url('https://martinthomson.github.io/rfc-css/fonts/lora-bold-vietnamese.woff2') format('woff2');
unicode-range: U+0102-0103, U+0110-0111, U+1EA0-1EF9, U+20AB;
}
@font-face {
font-family: 'Lora';
font-style: normal;
font-weight: 700;
font-display: swap;
src: local('Lora Bold'), local('Lora-Bold'), url('https://martinthomson.github.io/rfc-css/fonts/lora-bold-latin-ext.woff2') format('woff2');
unicode-range: U+0100-024F, U+0259, U+1E00-1EFF, U+2020, U+20A0-20AB, U+20AD-20CF, U+2113, U+2C60-2C7F, U+A720-A7FF;
}
@font-face {
font-family: 'Lora';
font-style: normal;
font-weight: 700;
font-display: swap;
src: local('Lora Bold'), local('Lora-Bold'), url('https://martinthomson.github.io/rfc-css/fonts/lora-bold-latin.woff2') format('woff2');
unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;
}
@font-face {
font-family: 'Lora';
font-style: normal;
font-weight: 600;
font-display: swap;
src: local('Lora SemiBold'), local('Lora-SemiBold'), url('https://martinthomson.github.io/rfc-css/fonts/lora-semibold-latin.woff2') format('woff2');
unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;
}
@font-face {
font-family: 'Oxygen Mono';
font-style: normal;
font-weight: 400;
font-display: swap;
src: local('Oxygen Mono'), local('OxygenMono-Regular'), url('https://martinthomson.github.io/rfc-css/fonts/oxygenmono-regular-latin-ext.woff2') format('woff2');
unicode-range: U+0100-024F, U+0259, U+1E00-1EFF, U+2020, U+20A0-20AB, U+20AD-20CF, U+2113, U+2C60-2C7F, U+A720-A7FF;
}
@font-face {
font-family: 'Oxygen Mono';
font-style: normal;
font-weight: 400;
font-display: swap;
src: local('Oxygen Mono'), local('OxygenMono-Regular'), url('https://martinthomson.github.io/rfc-css/fonts/oxygenmono-regular-latin.woff2') format('woff2');
unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;
}
@font-face {
font-family: 'Sofia Sans Semi Condensed';
font-style: italic;
font-weight: 1 1000;
src: url('https://martinthomson.github.io/rfc-css/fonts/sofiasanssemicondensed-italic-cyrillic-ext.woff2') format('woff2');
unicode-range: U+0460-052F, U+1C80-1C8A, U+20B4, U+2DE0-2DFF, U+A640-A69F, U+FE2E-FE2F;
}
@font-face {
font-family: 'Sofia Sans Semi Condensed';
font-style: italic;
font-weight: 1 1000;
src: url('https://martinthomson.github.io/rfc-css/fonts/sofiasanssemicondensed-italic-cyrillic.woff2') format('woff2');
unicode-range: U+0301, U+0400-045F, U+0490-0491, U+04B0-04B1, U+2116;
}
@font-face {
font-family: 'Sofia Sans Semi Condensed';
font-style: italic;
font-weight: 1 1000;
src: url('https://martinthomson.github.io/rfc-css/fonts/sofiasanssemicondensed-italic-greek.woff2') format('woff2');
unicode-range: U+0370-0377, U+037A-037F, U+0384-038A, U+038C, U+038E-03A1, U+03A3-03FF;
}
@font-face {
font-family: 'Sofia Sans Semi Condensed';
font-style: italic;
font-weight: 1 1000;
src: url('https://martinthomson.github.io/rfc-css/fonts/sofiasanssemicondensed-italic-latin-ext.woff2') format('woff2');
unicode-range: U+0100-02BA, U+02BD-02C5, U+02C7-02CC, U+02CE-02D7, U+02DD-02FF, U+0304, U+0308, U+0329, U+1D00-1DBF, U+1E00-1E9F, U+1EF2-1EFF, U+2020, U+20A0-20AB, U+20AD-20C0, U+2113, U+2C60-2C7F, U+A720-A7FF;
}
@font-face {
font-family: 'Sofia Sans Semi Condensed';
font-style: italic;
font-weight: 1 1000;
src: url('https://martinthomson.github.io/rfc-css/fonts/sofiasanssemicondensed-italic-latin.woff2') format('woff2');
unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+0304, U+0308, U+0329, U+2000-206F, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;
}
@font-face {
font-family: 'Sofia Sans Semi Condensed';
font-style: normal;
font-weight: 1 1000;
src: url('https://martinthomson.github.io/rfc-css/fonts/sofiasanssemicondensed-regular-cyrillic-ext.woff2') format('woff2');
unicode-range: U+0460-052F, U+1C80-1C8A, U+20B4, U+2DE0-2DFF, U+A640-A69F, U+FE2E-FE2F;
}
@font-face {
font-family: 'Sofia Sans Semi Condensed';
font-style: normal;
font-weight: 1 1000;
src: url('https://martinthomson.github.io/rfc-css/fonts/sofiasanssemicondensed-regular-cyrillic.woff2') format('woff2');
unicode-range: U+0301, U+0400-045F, U+0490-0491, U+04B0-04B1, U+2116;
}
@font-face {
font-family: 'Sofia Sans Semi Condensed';
font-style: normal;
font-weight: 1 1000;
src: url('https://martinthomson.github.io/rfc-css/fonts/sofiasanssemicondensed-regular-greek.woff2') format('woff2');
unicode-range: U+0370-0377, U+037A-037F, U+0384-038A, U+038C, U+038E-03A1, U+03A3-03FF;
}
@font-face {
font-family: 'Sofia Sans Semi Condensed';
font-style: normal;
font-weight: 1 1000;
src: url('https://martinthomson.github.io/rfc-css/fonts/sofiasanssemicondensed-regular-latin-ext.woff2') format('woff2');
unicode-range: U+0100-02BA, U+02BD-02C5, U+02C7-02CC, U+02CE-02D7, U+02DD-02FF, U+0304, U+0308, U+0329, U+1D00-1DBF, U+1E00-1E9F, U+1EF2-1EFF, U+2020, U+20A0-20AB, U+20AD-20C0, U+2113, U+2C60-2C7F, U+A720-A7FF;
}
@font-face {
font-family: 'Sofia Sans Semi Condensed';
font-style: normal;
font-weight: 1 1000;
src: url('https://martinthomson.github.io/rfc-css/fonts/sofiasanssemicondensed-regular-latin.woff2') format('woff2');
unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+0304, U+0308, U+0329, U+2000-206F, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;
}
:root {
color-scheme: light dark;
--background-color: #fff;
--text-color: #222;
--title-color: #191919;
--link-color: #2a6496;
--highlight-color: #f9f9f9;
--line-color: #eee;
--pilcrow-weak: #ddd;
--pilcrow-strong: #bbb;
--small-font-size: 14.5px;
--font-mono: 'Oxygen Mono', monospace;
--font-title: "Sofia Sans Semi Condensed", sans-serif;
scrollbar-color: #bbb #eee;
}
body {
max-width: 600px;
margin: 75px auto;
padding: 0 5px;
color: var(--text-color);
background-color: var(--background-color);
font: 16px/22px "Lora", serif;
scroll-behavior: smooth;
}
.ears {
display: none;
}
/* headings */
section {
clear: both;
}
.section-number {
padding-right: 0.5em;
}
h1, h2, h3, h4, h5, h6 {
font-family: var(--font-title);
font-weight: 680;
margin: 0.8em 0 0.3em;
font-size-adjust: 0.5;
color: var(--title-color);
}
h1#title {
font-size: 32px;
line-height: 40px;
clear: both;
}
h1#title, h1#rfcnum {
margin: 1.5em 0 0.2em;
}
h1#rfcnum + h1#title {
margin: 0.2em 0;
}
h1, h2, h3 {
font-size: 22px;
line-height: 27px;
}
h4, h5, h6 {
font-size: 20px;
line-height: 24px;
}
/* general structure */
.author {
padding-bottom: 0.3em;
vertical-align: top;
}
#abstract+p {
font-size: 18px;
line-height: 24px;
}
#abstract+p code, #abstract+p samp, #abstract+p tt {
font-size: 16px;
line-height: 0;
}
p {
padding: 0;
margin: 0.5em 0;
text-align: left;
}
div {
margin: 0;
}
.alignRight.art-text {
background-color: var(--highlight-color);
border: 1px solid var(--line-color);
border-radius: 3px;
padding: 0.5em 1em 0;
margin-bottom: 0.5em;
}
.alignRight.art-text pre {
padding: 0;
width: auto;
}
.alignRight {
margin: 1em 0;
}
.alignRight > *:first-child {
border: none;
margin: 0;
float: right;
clear: both;
}
.alignRight > *:nth-child(2) {
clear: both;
display: block;
border: none;
}
svg {
display: block;
}
/* font-family isn't space-separated, but =~ will have to do */
svg[font-family~="monospace" i], svg [font-family~="monospace" i] {
font-family: var(--font-mono);
}
.alignCenter.art-text {
background-color: var(--highlight-color);
border: 1px solid var(--line-color);
border-radius: 3px;
padding: 0.5em 1em 0;
margin-bottom: 0.5em;
}
.alignCenter.art-text pre {
padding: 0;
width: auto;
}
.alignCenter {
margin: 1em 0;
}
.alignCenter > *:first-child {
border: none;
/* this isn't optimal, but it's an existence proof. PrinceXML doesn't
support flexbox yet.
*/
display: table;
margin: 0 auto;
}
/* lists */
ol, ul {
padding: 0;
margin: 0 0 0.5em 2em;
& :is(ol, ul) {
margin-left: 1em;
}
}
li {
margin: 0 0 0.25em 0;
}
ul.empty, .ulEmpty {
list-style-type: none;
& li {
margin-top: 0.5em;
}
}
:is(ul, ol).compact, .ulCompact, .olCompact {
margin: 0 0 0 2em;
& li {
margin: 0;
& :first-child { margin-top: 0; }
& :last-child { margin-bottom: 0; }
}
}
/* definition lists */
dl {
clear: left;
--indent: 3ch;
/* --indent: attr(indent ch); not supported in any browser, but we can dream */
&.olPercent {
--indent: 5ch;
& > dt {
min-width: calc(var(--indent) - 2ch);
}
}
&.olPercent > dt {
float: none;
}
dl > dd > & {
margin-top: 0.5em;
margin-bottom: 0;
}
}
dl:not(.dlNewline) > dt {
float: left;
margin-right: 2ch;
min-width: 8ch;
}
dl > dd {
margin-bottom: .8em;
margin-left: var(--indent) !important; /* stupid element overrides */
min-height: 2ex;
}
:is(dl.compact, .dlCompact) > dd {
margin-bottom: 0;
& > :is(:first-child, .break:first-child + *) {
margin-top: 0;
}
& > :is(:last-child) {
margin-bottom: 0;
}
}
:is(dd, span).break {
display: none;
}
/* links */
a, a[href].selfRef:hover {
text-decoration: none;
}
a[href] {
color: var(--link-color);
}
a[href].selfRef, .iref + a[href].internal {
color: var(--text-color);
}
a[href]:hover {
text-decoration: underline;
}
a[href].selfRef:hover {
background-color: var(--highlight-color);
}
a.xref:is(.cite, .auto), :is(#status-of-memo, #copyright) a {
white-space: nowrap;
}
/* Figures */
tt, code, pre {
background-color: var(--highlight-color);
font: 14px/22px var(--font-mono);
}
tt, code {
/* changing the font for inline elements leads to different ascender
and descender heights; as we want to retain baseline alignment,
remove leading to avoid altering the final height of lines
note: this fails if these blocks take an entire line,
a different solution would be great */
line-height: 0;
}
:is(h1, h2, h3, h4, h5, h6) :is(tt, code) {
font-size: 84%;
}
pre {
border: 1px solid var(--line-color);
font-size: 13.5px;
line-height: 16px;
letter-spacing: -0.2px;
margin: 5px;
padding: 5px;
}
img {
max-width: 100%;
}
figure {
margin: 0.5em 0;
padding: 0;
}
figure blockquote {
margin: 0.8em 0.4em 0.4em;
}
figcaption, caption {
font-style: italic;
margin: 0.5em 1.5em;
text-align: left;
caption-side: bottom;
}
@media screen {
/* Auto-collapse boilerplate. */
:is(#status-of-memo, #copyright) p {
margin: -2px 0;
max-height: 0;
transition: max-height 2s ease, margin 0.5s ease 0.5s;
overflow: hidden;
}
:is(#status-of-memo, #copyright):hover p,
:is(#status-of-memo, #copyright) h2:target ~ p {
margin: 0.5em 0;
max-height: 500px;
overflow: auto;
}
pre, svg {
display: inline-block;
/* In the horizontal direction, sometimes people make over-sized figures.
Scrollbars for those is therefore necessary: auto adds them as necessary..
In the vertical direction, the line-height can combine with the font
asender/descender height to produce scrollbars: hidden avoids that. */
overflow: auto hidden;
}
pre {
max-width: 100%;
width: calc(100% - 22px - 1em);
}
svg {
max-width: calc(100% - 22px - 1em);
}
figure pre {
display: block;
width: calc(100% - 25px);
}
:is(pre, svg) + .pilcrow {
display: inline-block;
vertical-align: text-bottom;
padding-bottom: 8px;
}
}
/* aside, blockquote */
aside, blockquote {
margin-left: 0;
padding: 0 2em;
font-style: italic;
}
blockquote {
margin: 1em 0;
}
cite {
display: block;
text-align: right;
font-style: italic;
}
/* tables */
table {
width: auto;
max-width: 100%;
margin: 0 0 1em;
border-collapse: collapse;
}
table.right {
margin-left: auto;
}
table.center {
margin-left: auto;
margin-right: auto;
}
table.left {
margin-right: auto;
}
table .text-left {
text-align: left;
}
table .text-center {
text-align: center;
}
table .text-right {
text-align: right;
}
thead, tbody {
border: 1px solid var(--line-color);
}
th, td {
text-align: left;
vertical-align: top;
padding: 5px 10px;
}
th {
background-color: var(--line-color);
}
:is(tr:nth-child(2n), thead+tbody > tr:nth-child(2n+1)) > td {
background-color: var(--background-color);
}
:is(tr:nth-child(2n+1), thead+tbody > tr:nth-child(2n)) > td {
background-color: var(--highlight-color);
}
table caption {
margin: 0;
padding: 3px 0 3px 1em;
}
table p {
margin: 0;
}
/* pilcrow */
a.pilcrow {
margin-left: 3px;
opacity: 0.2;
user-select: none;
&[href] {
color: var(--pilcrow-weak);
&:hover { text-decoration: none; }
}
}
@media not print {
:hover > a.pilcrow {
opacity: 1;
}
a.pilcrow[href]:hover {
color: var(--pilcrow-strong);
background-color: transparent;
}
}
@media print {
a.pilcrow {
display: none;
}
}
/* misc */
hr {
border: 0;
border-top: 1px solid var(--line-color);
}
.bcp14 {
font-variant: small-caps;
font-weight: 600;
font-size: var(--small-font-size);
}
.role {
font-variant: all-small-caps;
}
sub, sup {
line-height: 1;
font-size: 80%;
}
/* info block */
#identifiers {
margin: 0;
font-size: var(--small-font-size);
line-height: 18px;
--identifier-width: 15ch;
& dt {
width: var(--identifier-width);
min-width: var(--identifier-width);
clear: left;
float: left;
text-align: right;
margin-right: 1ch;
}
& dd {
margin: 0;
margin-left: calc(1em + var(--identifier-width)) !important;
min-width: 5em;
}
& .authors {
& .author {
display: inline-block;
margin-right: 1.5em;
}
& .org {
font-style: italic;
}
}
}
/* The prepared/rendered info at the very bottom of the page */
.docInfo {
color: #999;
font-size: 0.9em;
font-style: italic;
margin-top: 2em;
}
.docInfo .prepared {
float: right;
}
/* table of contents */
#toc {
padding: 0.75em 0 2em 0;
margin-bottom: 1em;
& nav {
& ul {
margin: 0 0.5em 0 0;
padding: 0;
list-style: none;
}
& li {
line-height: 1.3em;
margin: 2px 0;
padding-left: 1.2em;
text-indent: -1.2em;
}
}
& a.xref {
white-space: normal;
}
}
.references {
& > dt {
text-align: right;
font-weight: bold;
min-width: 10ch;
margin-right: 1.5ch;
&:target::before {
content: "⇒";
margin: 0 10px 0 -25px;
}
}
& > dd {
margin-left: 12ch !important;
overflow: visible;
& .refInstance {
margin-bottom: 0.8em;
}
& .ascii {
margin-bottom: 0.25em;
}
}
}
#rfc\.index\.index + ul {
margin-left: 0;
}
/* authors */
address.vcard {
font-style: normal;
max-width: 20em;
margin: 1em auto 1em 0;
& .nameRole {
font-weight: 700;
margin-left: 0;
}
& .label {
margin: 0.5em 0;
}
& .type {
display: none;
}
& .alternative-contact {
margin: 0.5em 0 0.25em 0;
}
& .non-ascii {
margin: 0 0 0 2em;
}
& div.left {
text-align: left;
}
& div.right {
text-align: right;
}
}
hr.addr {
border-top: 1px dashed;
margin: 0;
color: #ddd;
max-width: calc(100% - 16px);
}
@media (min-width: 500px) {
#authors-addresses > section {
column-count: 2;
column-gap: 20px;
}
#authors-addresses > section > h2 {
column-span: all;
}
/* hack for break-inside: avoid-column */
#authors-addresses address {
display: inline-block;
break-inside: avoid-column;
}
}
/* Comments */
.rfcEditorRemove p:first-of-type {
font-style: italic;
}
.cref {
background-color: rgba(249, 232, 105, 0.3);
padding: 2px 4px;
}
.crefSource {
font-style: italic;
}
@media screen {
#toc nav {
font-family: var(--font-title);
font-weight: 360;
& > ul { margin-bottom: 2em; }
& ul {
margin: 0 0 0 4px;
& :is(p, li) {
margin: 2px 0;
}
}
}
#toc a.toplink {
float: right;
}
}
@media not screen {
#toc a.toplink {
display: none;
}
}
/* TOC layout for smaller screens */
@media screen and (max-width: 929px) {
#toc {
position: fixed;
z-index: 2;
top: 0;
right: 0;
padding: 1px 0 0 0;
margin: 0;
border-bottom: 1px solid #ccc;
opacity: 0.6;
}
#toc h2 {
margin: 0;
padding: 2px 0 2px 6px;
padding-right: 1em;
font-size: 18px;
line-height: 24px;
min-width: 190px;
text-align: right;
background-color: #444;
color: white;
cursor: pointer;
&::before { /* css hamburger */
float: right;
position: relative;
width: 1em;
height: 1px;
left: -164px;
margin: 8px 0 0 0;
background: white none repeat scroll 0 0;
box-shadow: 0 4px 0 0 white, 0 8px 0 0 white;
content: "";
}
}
#toc nav {
display: none;
background-color: var(--background-color);
padding: 0.5em 1em 1em;
overflow: auto;
overscroll-behavior: contain;
height: calc(100vh - 48px);
border-left: 1px solid #ddd;
}
#toc.active {
opacity: 1;
& nav { display: block; }
}
/* Make the collapsed ToC header render white on gray also when it's a link */
#toc h2 a,
#toc h2 a:is(:link, :focus, :hover),
#toc a.toplink,
#toc a.toplink:hover {
color: white;
background-color: #444;
text-decoration: none;
}
#toc a.toplink {
margin: 2px 0.5em 0;
}
}
/* TOC layout for wide screens */
@media screen and (min-width: 930px) {
body {
padding-right: 360px;
padding-right: calc(min(180px + 20%, 500px));
}
#toc {
position: fixed;
bottom: 0;
right: 0;
right: calc(50vw - 480px);
width: 312px;
margin: 0;
padding: 0;
z-index: 1;
}
#toc h2 {
margin: 0;
padding: 0.25em 1em 1em 0;
}
#toc nav {
display: block;
height: calc(90vh - 84px);
bottom: 0;
padding: 0.5em 0 2em;
overflow: auto;
overscroll-behavior: contain;
scrollbar-width: thin;
}
img { /* future proofing */
max-width: 100%;
height: auto;
}
#toc a.toplink {
margin: 8px 0.5em 0;
}
}
/* pagination */
@media print {
body {
width: 100%;
}
p {
orphans: 3;
widows: 3;
}
#n-copyright-notice {
border-bottom: none;
}
#toc, #n-introduction {
page-break-before: always;
}
#toc {
border-top: none;
padding-top: 0;
}
figure, pre, .vcard {
page-break-inside: avoid;
}
h1, h2, h3, h4, h5, h6 {
page-break-after: avoid;
}
:is(h2, h3, h4, h5, h6)+*, dd {
page-break-before: avoid;
}
pre {
white-space: pre-wrap;
word-wrap: break-word;
font-size: 10pt;
}
table {
border: 1px solid #ddd;
}
td {
border-top: 1px solid #ddd;
}
}
@page :first {
padding-top: 0;
@top-left {
content: normal;
border: none;
}
@top-center {
content: normal;
border: none;
}
@top-right {
content: normal;
border: none;
}
}
@page {
size: A4;
margin-bottom: 45mm;
padding-top: 20px;
}
/* Dark mode. */
@media (prefers-color-scheme: dark) {
:root {
--background-color: #121212;
--text-color: #f0f0f0;
--title-color: #fff;
--link-color: #4da4f0;
--highlight-color: #282828;
--line-color: #444;
--pilcrow-weak: #444;
--pilcrow-strong: #666;
scrollbar-color: #777 #333;
}
}
/* SVG Trick: a prefix match works because only black and white are allowed */
svg :is([stroke="black"], [stroke^="#000"]) {
stroke: var(--text-color);
}
svg :is([stroke="white"], [stroke^="#fff"]) {
stroke: var(--background-color);
}
svg :is([fill="black"], [fill^="#000"], :not([fill])) {
fill: var(--text-color);
}
svg :is([fill="white"], [fill^="#fff"]) {
fill: var(--background-color);
}
</style>
</head>
<body class="xml2rfc">
<table class="ears">
<thead><tr>
<td class="left">Internet-Draft</td>
<td class="center">IPSIE Common Requirements</td>
<td class="right">July 2025</td>
</tr></thead>
<tfoot><tr>
<td class="left">Saxe</td>
<td class="center">Expires 10 January 2026</td>
<td class="right">[Page]</td>
</tr></tfoot>
</table>
<div id="external-metadata" class="document-information"></div>
<div id="internal-metadata" class="document-information">
<dl id="identifiers">
<dt class="label-workgroup">Workgroup:</dt>
<dd class="workgroup">IPSIE Working Group</dd>
<dt class="label-internet-draft">Internet-Draft:</dt>
<dd class="internet-draft">draft-saxe-ipsie-common-requirements-profile-latest</dd>
<dt class="label-published">Published:</dt>
<dd class="published">
<time datetime="2025-07-09" class="published">9 July 2025</time>
</dd>
<dt class="label-intended-status">Intended Status:</dt>
<dd class="intended-status">Informational</dd>
<dt class="label-expires">Expires:</dt>
<dd class="expires"><time datetime="2026-01-10">10 January 2026</time></dd>
<dt class="label-authors">Author:</dt>
<dd class="authors">
<div class="author">
<div class="author-name">D. H. Saxe</div>
<div class="org">Full Frontal Nerdity Industries</div>
</div>
</dd>
</dl>
</div>
<h1 id="title">IPSIE Common Requirements Profile</h1>
<section id="section-abstract">
<h2 id="abstract"><a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#abstract" class="selfRef">Abstract</a></h2>
<p id="section-abstract-1">The IPSIE Common Requirements Profile is a profile of multiple common security requirements that are applicable to all IPSIE levels (SL* and IL*) and protocols. These common requirements are intended to meet the security and interoperability requirements of enterprise using one or more IPSIE profiles.<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#section-abstract-1" class="pilcrow">¶</a></p>
</section>
<section class="note rfcEditorRemove" id="section-note.1">
<h2 id="name-about-this-document">
<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#name-about-this-document" class="section-name selfRef">About This Document</a>
</h2>
<p id="section-note.1-1">This note is to be removed before publishing as an RFC.<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#section-note.1-1" class="pilcrow">¶</a></p>
<p id="section-note.1-2">
The latest revision of this draft can be found at <span><a href="https://deansaxe.github.io/ipsie-common/draft-saxe-ipsie-common-requirements-profile.html">https://deansaxe.github.io/ipsie-common/draft-saxe-ipsie-common-requirements-profile.html</a></span>.
Status information for this document may be found at <span><a href="https://datatracker.ietf.org/doc/draft-saxe-ipsie-common-requirements-profile/">https://datatracker.ietf.org/doc/draft-saxe-ipsie-common-requirements-profile/</a></span>.<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#section-note.1-2" class="pilcrow">¶</a></p>
<p id="section-note.1-3">
Discussion of this document takes place on the
IPSIE Working Group mailing list (<span><a href="mailto:openid-specs-ipsie@lists.openid.net">mailto:openid-specs-ipsie@lists.openid.net</a></span>),
which is archived at <span><a href="https://openid.net/wg/ipsie/">https://openid.net/wg/ipsie/</a></span>.<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#section-note.1-3" class="pilcrow">¶</a></p>
<p id="section-note.1-4">Source for this draft and an issue tracker can be found at
<span><a href="https://github.com/deansaxe/draft-saxe-ipsie-common-requirements-profile">https://github.com/deansaxe/draft-saxe-ipsie-common-requirements-profile</a></span>.<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#section-note.1-4" class="pilcrow">¶</a></p>
</section>
<div id="status-of-memo">
<section id="section-boilerplate.1">
<h2 id="name-status-of-this-memo">
<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#name-status-of-this-memo" class="section-name selfRef">Status of This Memo</a>
</h2>
<p id="section-boilerplate.1-1">
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#section-boilerplate.1-1" class="pilcrow">¶</a></p>
<p id="section-boilerplate.1-2">
Internet-Drafts are working documents of the Internet Engineering Task
Force (IETF). Note that other groups may also distribute working
documents as Internet-Drafts. The list of current Internet-Drafts is
at <span><a href="https://datatracker.ietf.org/drafts/current/">https://datatracker.ietf.org/drafts/current/</a></span>.<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#section-boilerplate.1-2" class="pilcrow">¶</a></p>
<p id="section-boilerplate.1-3">
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#section-boilerplate.1-3" class="pilcrow">¶</a></p>
<p id="section-boilerplate.1-4">
This Internet-Draft will expire on 10 January 2026.<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#section-boilerplate.1-4" class="pilcrow">¶</a></p>
</section>
</div>
<div id="copyright">
<section id="section-boilerplate.2">
<h2 id="name-copyright-notice">
<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#name-copyright-notice" class="section-name selfRef">Copyright Notice</a>
</h2>
<p id="section-boilerplate.2-1">
Copyright (c) 2025 IETF Trust and the persons identified as the
document authors. All rights reserved.<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#section-boilerplate.2-1" class="pilcrow">¶</a></p>
<p id="section-boilerplate.2-2">
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(<span><a href="https://trustee.ietf.org/license-info">https://trustee.ietf.org/license-info</a></span>) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with
respect to this document.<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#section-boilerplate.2-2" class="pilcrow">¶</a></p>
</section>
</div>
<div id="toc">
<section id="section-toc.1">
<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#" onclick="scroll(0,0)" class="toplink">▲</a><h2 id="name-table-of-contents">
<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#name-table-of-contents" class="section-name selfRef">Table of Contents</a>
</h2>
<nav class="toc"><ul class="compact toc ulBare ulEmpty">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.1">
<p id="section-toc.1-1.1.1" class="keepWithNext"><a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#section-1" class="auto internal xref">1</a>. <a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#name-introduction" class="internal xref">Introduction</a></p>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.2">
<p id="section-toc.1-1.2.1" class="keepWithNext"><a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#section-2" class="auto internal xref">2</a>. <a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#name-conventions-and-definitions" class="internal xref">Conventions and Definitions</a></p>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.3">
<p id="section-toc.1-1.3.1"><a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#section-3" class="auto internal xref">3</a>. <a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#name-profile" class="internal xref">Profile</a></p>
<ul class="compact toc ulBare ulEmpty">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.3.2.1">
<p id="section-toc.1-1.3.2.1.1" class="keepWithNext"><a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#section-3.1" class="auto internal xref">3.1</a>. <a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#name-security-controls" class="internal xref">Security Controls</a></p>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.3.2.2">
<p id="section-toc.1-1.3.2.2.1"><a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#section-3.2" class="auto internal xref">3.2</a>. <a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#name-network-layer-requirements" class="internal xref">Network Layer Requirements</a></p>
<ul class="compact toc ulBare ulEmpty">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.3.2.2.2.1">
<p id="section-toc.1-1.3.2.2.2.1.1"><a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#section-3.2.1" class="auto internal xref">3.2.1</a>. <a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#name-requirements-for-all-endpoi" class="internal xref">Requirements for all endpoints</a></p>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.3.2.2.2.2">
<p id="section-toc.1-1.3.2.2.2.2.1"><a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#section-3.2.2" class="auto internal xref">3.2.2</a>. <a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#name-requirements-for-endpoints-" class="internal xref">Requirements for endpoints not used by web browsers</a></p>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.3.2.2.2.3">
<p id="section-toc.1-1.3.2.2.2.3.1"><a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#section-3.2.3" class="auto internal xref">3.2.3</a>. <a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#name-requirements-for-endpoints-u" class="internal xref">Requirements for endpoints used by web browsers</a></p>
</li>
</ul>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.3.2.3">
<p id="section-toc.1-1.3.2.3.1"><a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#section-3.3" class="auto internal xref">3.3</a>. <a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#name-cryptography-and-secrets" class="internal xref">Cryptography and Secrets</a></p>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.3.2.4">
<p id="section-toc.1-1.3.2.4.1"><a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#section-3.4" class="auto internal xref">3.4</a>. <a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#name-federation" class="internal xref">Federation</a></p>
</li>
</ul>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.4">
<p id="section-toc.1-1.4.1"><a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#section-4" class="auto internal xref">4</a>. <a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#name-security-considerations" class="internal xref">Security Considerations</a></p>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.5">
<p id="section-toc.1-1.5.1"><a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#section-5" class="auto internal xref">5</a>. <a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#name-iana-considerations" class="internal xref">IANA Considerations</a></p>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6">
<p id="section-toc.1-1.6.1"><a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#section-6" class="auto internal xref">6</a>. <a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#name-normative-references" class="internal xref">Normative References</a></p>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.7">
<p id="section-toc.1-1.7.1"><a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#appendix-A" class="auto internal xref">Appendix A</a>. <a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#name-notices" class="internal xref">Notices</a></p>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.8">
<p id="section-toc.1-1.8.1"><a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#appendix-B" class="auto internal xref">Appendix B</a>. <a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#name-document-history" class="internal xref">Document History</a></p>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.9">
<p id="section-toc.1-1.9.1"><a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#appendix-C" class="auto internal xref"></a><a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#name-acknowledgments" class="internal xref">Acknowledgments</a></p>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.10">
<p id="section-toc.1-1.10.1"><a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#appendix-D" class="auto internal xref"></a><a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#name-authors-address" class="internal xref">Author's Address</a></p>
</li>
</ul>
</nav>
</section>
</div>
<div id="introduction">
<section id="section-1">
<h2 id="name-introduction">
<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#section-1" class="section-number selfRef">1. </a><a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#name-introduction" class="section-name selfRef">Introduction</a>
</h2>
<p id="section-1-1">TODO Introduction to the common requirements<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#section-1-1" class="pilcrow">¶</a></p>
</section>
</div>
<div id="conventions-and-definitions">
<section id="section-2">
<h2 id="name-conventions-and-definitions">
<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#section-2" class="section-number selfRef">2. </a><a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#name-conventions-and-definitions" class="section-name selfRef">Conventions and Definitions</a>
</h2>
<p id="section-2-1">The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 <span><a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#RFC8174" class="internal xref">RFC2119</a> [<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#RFC8174" class="cite xref">RFC8174</a>]</span> when, and only when, they appear in all capitals, as shown here.<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#section-2-1" class="pilcrow">¶</a></p>
</section>
</div>
<div id="profile">
<section id="section-3">
<h2 id="name-profile">
<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#section-3" class="section-number selfRef">3. </a><a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#name-profile" class="section-name selfRef">Profile</a>
</h2>
<div id="security-controls">
<section id="section-3.1">
<h3 id="name-security-controls">
<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#section-3.1" class="section-number selfRef">3.1. </a><a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#name-security-controls" class="section-name selfRef">Security Controls</a>
</h3>
<p id="section-3.1-1">(to be removed later: note the following bullets are related to https://github.com/openid/ipsie/issues/72)
This section is non-normative.<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#section-3.1-1" class="pilcrow">¶</a></p>
<ul class="normal">
<li class="normal" id="section-3.1-2.1">
<p id="section-3.1-2.1.1">All IPSIE compliant identity providers and applications should implement a security controls program, such as NIST SP800-53, FEDRAMP, or other relevant program.<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#section-3.1-2.1.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-3.1-2.2">
<p id="section-3.1-2.2.1">The program should identify how personal attributes of users are stored at rest by the provider, whether an identity provider or application.<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#section-3.1-2.2.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-3.1-2.3">
<p id="section-3.1-2.3.1">This program and its controls should be documented and made available to relevant parties in an IPSIE compliant federation.<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#section-3.1-2.3.1" class="pilcrow">¶</a></p>
</li>
</ul>
</section>
</div>
<div id="network-layer-requirements">
<section id="section-3.2">
<h3 id="name-network-layer-requirements">
<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#section-3.2" class="section-number selfRef">3.2. </a><a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#name-network-layer-requirements" class="section-name selfRef">Network Layer Requirements</a>
</h3>
<div id="requirements-for-all-endpoints">
<section id="section-3.2.1">
<h4 id="name-requirements-for-all-endpoi">
<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#section-3.2.1" class="section-number selfRef">3.2.1. </a><a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#name-requirements-for-all-endpoi" class="section-name selfRef">Requirements for all endpoints</a>
</h4>
<p id="section-3.2.1-1">To protect against network attacks, clients, authorization servers, and resource servers:<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#section-3.2.1-1" class="pilcrow">¶</a></p>
<ul class="normal">
<li class="normal" id="section-3.2.1-2.1">
<p id="section-3.2.1-2.1.1">MUST only offer TLS protected endpoints and MUST establish connections to other servers using TLS;<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#section-3.2.1-2.1.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-3.2.1-2.2">
<p id="section-3.2.1-2.2.1">MUST set up TLS connections using TLS version 1.2 or later;<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#section-3.2.1-2.2.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-3.2.1-2.3">
<p id="section-3.2.1-2.3.1">MUST follow the recommendations for Secure Use of Transport Layer Security in <span>[<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#BCP195" class="cite xref">BCP195</a>]</span>;<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#section-3.2.1-2.3.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-3.2.1-2.4">
<p id="section-3.2.1-2.4.1">SHOULD use DNSSEC to protect against DNS spoofing attacks that can lead to the issuance of rogue domain-validated TLS certificates; and<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#section-3.2.1-2.4.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-3.2.1-2.5">
<p id="section-3.2.1-2.5.1">MUST perform a TLS server certificate check, as per <span>[<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#RFC9525" class="cite xref">RFC9525</a>]</span>.<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#section-3.2.1-2.5.1" class="pilcrow">¶</a></p>
</li>
</ul>
</section>
</div>
<div id="requirements-for-endpoints-not-used-by-web-browsers">
<section id="section-3.2.2">
<h4 id="name-requirements-for-endpoints-">
<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#section-3.2.2" class="section-number selfRef">3.2.2. </a><a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#name-requirements-for-endpoints-" class="section-name selfRef">Requirements for endpoints not used by web browsers</a>
</h4>
<p id="section-3.2.2-1">For server-to-server communication endpoints that are not used by web browsers, the following requirements apply:<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#section-3.2.2-1" class="pilcrow">¶</a></p>
<ul class="normal">
<li class="normal" id="section-3.2.2-2.1">
<p id="section-3.2.2-2.1.1">When using TLS 1.2, servers MUST only permit the cipher suites recommended in <span>[<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#BCP195" class="cite xref">BCP195</a>]</span>;<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#section-3.2.2-2.1.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-3.2.2-2.2">
<p id="section-3.2.2-2.2.1">When using TLS 1.2, clients SHOULD only permit the cipher suites recommended in <span>[<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#BCP195" class="cite xref">BCP195</a>]</span>.<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#section-3.2.2-2.2.1" class="pilcrow">¶</a></p>
</li>
</ul>
</section>
</div>
<div id="requirements-for-endpoints-used-by-web-browsers">
<section id="section-3.2.3">
<h4 id="name-requirements-for-endpoints-u">
<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#section-3.2.3" class="section-number selfRef">3.2.3. </a><a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#name-requirements-for-endpoints-u" class="section-name selfRef">Requirements for endpoints used by web browsers</a>
</h4>
<p id="section-3.2.3-1">For endpoints that are used by web browsers, the following additional requirements apply:<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#section-3.2.3-1" class="pilcrow">¶</a></p>
<ul class="normal">
<li class="normal" id="section-3.2.3-2.1">
<p id="section-3.2.3-2.1.1">Servers MUST use methods to ensure that connections cannot be downgraded using TLS stripping attacks. A preloaded [preload] HTTP Strict Transport Security policy <span>[<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#RFC6797" class="cite xref">RFC6797</a>]</span> can be used for this purpose. Some top-level domains, like .bank and .insurance, have set such a policy and therefore protect all second-level domains below them.<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#section-3.2.3-2.1.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-3.2.3-2.2">
<p id="section-3.2.3-2.2.1">When using TLS 1.2, servers MUST only use cipher suites allowed in <span>[<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#BCP195" class="cite xref">BCP195</a>]</span>.<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#section-3.2.3-2.2.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-3.2.3-2.3">
<p id="section-3.2.3-2.3.1">Servers MUST NOT support [CORS] for the authorization endpoint, as clients must perform an HTTP redirect rather than access this endpoint directly.<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#section-3.2.3-2.3.1" class="pilcrow">¶</a></p>
</li>
</ul>
</section>
</div>
</section>
</div>
<div id="cryptography-and-secrets">
<section id="section-3.3">
<h3 id="name-cryptography-and-secrets">
<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#section-3.3" class="section-number selfRef">3.3. </a><a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#name-cryptography-and-secrets" class="section-name selfRef">Cryptography and Secrets</a>
</h3>
<p id="section-3.3-1">The following requirements apply to cryptographic operations and secrets:<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#section-3.3-1" class="pilcrow">¶</a></p>
<ul class="normal">
<li class="normal" id="section-3.3-2.1">
<p id="section-3.3-2.1.1">Authorization servers, clients, and resource servers when creating or processing JWTs:<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#section-3.3-2.1.1" class="pilcrow">¶</a></p>
<ul class="normal">
<li class="normal" id="section-3.3-2.1.2.1">
<p id="section-3.3-2.1.2.1.1">MUST adhere to <span>[<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#RFC8725" class="cite xref">RFC8725</a>]</span>;<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#section-3.3-2.1.2.1.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-3.3-2.1.2.2">
<p id="section-3.3-2.1.2.2.1">MUST use PS256, ES256, or EdDSA (using the Ed25519 variant) algorithms; and<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#section-3.3-2.1.2.2.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-3.3-2.1.2.3">
<p id="section-3.3-2.1.2.3.1">MUST NOT use or accept the <code>none</code> algorithm.<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#section-3.3-2.1.2.3.1" class="pilcrow">¶</a></p>
</li>
</ul>
</li>
<li class="normal" id="section-3.3-2.2">
<p id="section-3.3-2.2.1">RSA keys MUST have a minimum length of 2048 bits.<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#section-3.3-2.2.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-3.3-2.3">
<p id="section-3.3-2.3.1">Elliptic curve keys MUST have a minimum length of 224 bits.<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#section-3.3-2.3.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-3.3-2.4">
<p id="section-3.3-2.4.1">Credentials not intended for handling by end-users (e.g., access tokens, refresh tokens, authorization codes, etc.) MUST be created with at least 128 bits of entropy such that an attacker correctly guessing the value is computationally infeasible (<span><a href="https://rfc-editor.org/rfc/rfc6749#section-10.10" class="relref">Section 10.10</a> of [<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#RFC6749" class="cite xref">RFC6749</a>]</span>).<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#section-3.3-2.4.1" class="pilcrow">¶</a></p>
</li>
</ul>
</section>
</div>
<div id="federation">
<section id="section-3.4">
<h3 id="name-federation">
<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#section-3.4" class="section-number selfRef">3.4. </a><a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#name-federation" class="section-name selfRef">Federation</a>
</h3>
<p id="section-3.4-1">IPSIE federation protocols are designed to be compliant with many of the technical controls defined in <span>[<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#NIST.FAL" class="cite xref">NIST.FAL</a>]</span> at FAL2. The following federation requirements are derived from the FAL2 requirements and apply to all federation protocol profiles developed by the IPSIE WG.<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#section-3.4-1" class="pilcrow">¶</a></p>
<ul class="normal">
<li class="normal" id="section-3.4-2.1">
<p id="section-3.4-2.1.1">(to be removed later: note the following bullets are related to https://github.com/openid/ipsie/issues/77 and https://github.com/openid/ipsie/issues/81)<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#section-3.4-2.1.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-3.4-2.2">
<p id="section-3.4-2.2.1">Identity providers and applications SHALL minimize account attribute disclosures to those required for business operations.<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#section-3.4-2.2.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-3.4-2.3">
<p id="section-3.4-2.3.1">(to be removed later: note the following bullets are related to https://github.com/openid/ipsie/issues/78)<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#section-3.4-2.3.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-3.4-2.4">
<p id="section-3.4-2.4.1">Account linking as defined in Section 3.7.1 of <span>[<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#NIST.FAL" class="cite xref">NIST.FAL</a>]</span> MAY be supported by RPs.<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#section-3.4-2.4.1" class="pilcrow">¶</a></p>
<ul class="normal">
<li class="normal" id="section-3.4-2.4.2.1">
<p id="section-3.4-2.4.2.1.1">RPs MUST disable account linking by default.<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#section-3.4-2.4.2.1.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-3.4-2.4.2.2">
<p id="section-3.4-2.4.2.2.1">RPs that allow account linking MUST follow the requirements of <span>[<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#NIST.FAL" class="cite xref">NIST.FAL</a>]</span>.<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#section-3.4-2.4.2.2.1" class="pilcrow">¶</a></p>
</li>
</ul>
</li>
<li class="normal" id="section-3.4-2.5">
<p id="section-3.4-2.5.1">(to be removed later: note the following bullets are related to https://github.com/openid/ipsie/issues/80)<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#section-3.4-2.5.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-3.4-2.6">
<p id="section-3.4-2.6.1">Alternative authentication mechanisms that bypass federated authentication MAY be supported by IPSIE compliant applications at all SL levels. These mechanisms are commonly known as "break-glass" accounts.<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#section-3.4-2.6.1" class="pilcrow">¶</a></p>
<ul class="normal">
<li class="normal" id="section-3.4-2.6.2.1">
<p id="section-3.4-2.6.2.1.1">These mechanisms MUST be disabled by default and MAY be enabled on an individual user basis. The mechanism of enablement is not specified by IPSIE.<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#section-3.4-2.6.2.1.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-3.4-2.6.2.2">
<p id="section-3.4-2.6.2.2.1">Alternative authentication mechanisms MUST meet the minimum requirements of IPSIE authentication, including the use of multifactor authentication.<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#section-3.4-2.6.2.2.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-3.4-2.6.2.3">
<p id="section-3.4-2.6.2.3.1">Phishing resistant authentication is RECOMMENDED.<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#section-3.4-2.6.2.3.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-3.4-2.6.2.4">
<p id="section-3.4-2.6.2.4.1">Alterntive authentication mechanisms MUST be disabled through an identity provisioning protocol when the user's account is disabled or deleted from the application to prevent access to the account.<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#section-3.4-2.6.2.4.1" class="pilcrow">¶</a></p>
</li>
</ul>
</li>
<li class="normal" id="section-3.4-2.7">
<p id="section-3.4-2.7.1">(to be removed later: note the following bullets are related to https://github.com/openid/ipsie/issues/81 and https://github.com/openid/ipsie/issues/75)<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#section-3.4-2.7.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-3.4-2.8">
<p id="section-3.4-2.8.1">Encryption of assertions passed through the back channel MUST be offered by identity providers and MAY be used by applications.<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#section-3.4-2.8.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-3.4-2.9">
<p id="section-3.4-2.9.1">Assertions passed through the front channel MUST be encrypted.<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#section-3.4-2.9.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-3.4-2.10">
<p id="section-3.4-2.10.1">Pairwise identifiers to prevent correlation of the user's activities across multiple RPs MUST be offered by identity providers and MAY be used by applications.<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#section-3.4-2.10.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-3.4-2.11">
<p id="section-3.4-2.11.1">(to be removed later: note the following bullets are related to https://github.com/openid/ipsie/issues/93)<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#section-3.4-2.11.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-3.4-2.12">
<p id="section-3.4-2.12.1">Subject identifiers may not be globally unique in the absence of additional information. To ensure subject identifier uniqueness RP's MUST use both the subject identifier and a tenant identifier to create globally unique subjects that are bound to the tenant.<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#section-3.4-2.12.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-3.4-2.13">
<p id="section-3.4-2.13.1">(to be removed later: note the following bullet is related to https://github.com/openid/ipsie/issues/94)<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#section-3.4-2.13.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-3.4-2.14">
<p id="section-3.4-2.14.1">All federation transactions MUST originate from the RP.<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#section-3.4-2.14.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-3.4-2.15">
<p id="section-3.4-2.15.1">The IdP MAY signal to the RP that the user should be authenticated via federation.<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#section-3.4-2.15.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="section-3.4-2.16">
<p id="section-3.4-2.16.1">Unsolicited federation requests SHALL NOT originate from the IdP (<em>e.g.</em> IdP initiated federation).<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#section-3.4-2.16.1" class="pilcrow">¶</a></p>
</li>
</ul>
</section>
</div>
</section>
</div>
<div id="security-considerations">
<section id="section-4">
<h2 id="name-security-considerations">
<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#section-4" class="section-number selfRef">4. </a><a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#name-security-considerations" class="section-name selfRef">Security Considerations</a>
</h2>
<p id="section-4-1">TODO Security
* Alternative authN mechanisms/break glass security risks<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#section-4-1" class="pilcrow">¶</a></p>
</section>
</div>
<div id="iana-considerations">
<section id="section-5">
<h2 id="name-iana-considerations">
<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#section-5" class="section-number selfRef">5. </a><a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#name-iana-considerations" class="section-name selfRef">IANA Considerations</a>
</h2>
<p id="section-5-1">This document has no IANA actions.<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#section-5-1" class="pilcrow">¶</a></p>
</section>
</div>
<div id="sec-normative-references">
<section id="section-6">
<h2 id="name-normative-references">
<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#section-6" class="section-number selfRef">6. </a><a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#name-normative-references" class="section-name selfRef">Normative References</a>
</h2>
<dl class="references">
<dt id="BCP195">[BCP195]</dt>
<dd>
<div class="refInstance">Best Current Practice 195, <span><<a href="https://www.rfc-editor.org/info/bcp195">https://www.rfc-editor.org/info/bcp195</a>></span>.<br><span>At the time of writing, this BCP comprises the following:</span>
</div>
<div class="refInstance" id="RFC8996">
<span class="refAuthor">Moriarty, K.</span> and <span class="refAuthor">S. Farrell</span>, <span class="refTitle">"Deprecating TLS 1.0 and TLS 1.1"</span>, <span class="seriesInfo">BCP 195</span>, <span class="seriesInfo">RFC 8996</span>, <span class="seriesInfo">DOI 10.17487/RFC8996</span>, <time datetime="2021-03" class="refDate">March 2021</time>, <span><<a href="https://www.rfc-editor.org/info/rfc8996">https://www.rfc-editor.org/info/rfc8996</a>></span>. </div>
<div class="refInstance" id="RFC9325">
<span class="refAuthor">Sheffer, Y.</span>, <span class="refAuthor">Saint-Andre, P.</span>, and <span class="refAuthor">T. Fossati</span>, <span class="refTitle">"Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)"</span>, <span class="seriesInfo">BCP 195</span>, <span class="seriesInfo">RFC 9325</span>, <span class="seriesInfo">DOI 10.17487/RFC9325</span>, <time datetime="2022-11" class="refDate">November 2022</time>, <span><<a href="https://www.rfc-editor.org/info/rfc9325">https://www.rfc-editor.org/info/rfc9325</a>></span>. </div>
</dd>
<dd class="break"></dd>
<dt id="NIST.FAL">[NIST.FAL]</dt>
<dd>
<span class="refTitle">"NIST SP 800-63 Digital Identity Guidelines Federation Assurance Level (FAL)"</span>, <time datetime="2024-08" class="refDate">August 2024</time>, <span><<a href="https://pages.nist.gov/800-63-4/sp800-63c/fal/">https://pages.nist.gov/800-63-4/sp800-63c/fal/</a>></span>. </dd>
<dd class="break"></dd>
<dt id="OpenID">[OpenID]</dt>
<dd>
<span class="refAuthor">Sakimura, N.</span>, <span class="refAuthor">Bradley, J.</span>, <span class="refAuthor">Jones, M.</span>, <span class="refAuthor">de Medeiros, B.</span>, and <span class="refAuthor">C. Mortimore</span>, <span class="refTitle">"OpenID Connect Core 1.0 incorporating errata set 2"</span>, <time datetime="2023-12" class="refDate">December 2023</time>, <span><<a href="https://openid.net/specs/openid-connect-core-1_0.html">https://openid.net/specs/openid-connect-core-1_0.html</a>></span>. </dd>
<dd class="break"></dd>
<dt id="OpenID.Discovery">[OpenID.Discovery]</dt>
<dd>
<span class="refAuthor">Sakimura, N.</span>, <span class="refAuthor">Bradley, J.</span>, <span class="refAuthor">Jones, M.</span>, and <span class="refAuthor">E. Jay</span>, <span class="refTitle">"OpenID Connect Discovery 1.0 incorporating errata set 2"</span>, <time datetime="2023-12" class="refDate">December 2023</time>, <span><<a href="https://openid.net/specs/openid-connect-discovery-1_0.html">https://openid.net/specs/openid-connect-discovery-1_0.html</a>></span>. </dd>
<dd class="break"></dd>
<dt id="RFC2119">[RFC2119]</dt>
<dd>
<span class="refAuthor">Bradner, S.</span>, <span class="refTitle">"Key words for use in RFCs to Indicate Requirement Levels"</span>, <span class="seriesInfo">BCP 14</span>, <span class="seriesInfo">RFC 2119</span>, <span class="seriesInfo">DOI 10.17487/RFC2119</span>, <time datetime="1997-03" class="refDate">March 1997</time>, <span><<a href="https://www.rfc-editor.org/rfc/rfc2119">https://www.rfc-editor.org/rfc/rfc2119</a>></span>. </dd>
<dd class="break"></dd>
<dt id="RFC6749">[RFC6749]</dt>
<dd>
<span class="refAuthor">Hardt, D., Ed.</span>, <span class="refTitle">"The OAuth 2.0 Authorization Framework"</span>, <span class="seriesInfo">RFC 6749</span>, <span class="seriesInfo">DOI 10.17487/RFC6749</span>, <time datetime="2012-10" class="refDate">October 2012</time>, <span><<a href="https://www.rfc-editor.org/rfc/rfc6749">https://www.rfc-editor.org/rfc/rfc6749</a>></span>. </dd>
<dd class="break"></dd>
<dt id="RFC6750">[RFC6750]</dt>
<dd>
<span class="refAuthor">Jones, M.</span> and <span class="refAuthor">D. Hardt</span>, <span class="refTitle">"The OAuth 2.0 Authorization Framework: Bearer Token Usage"</span>, <span class="seriesInfo">RFC 6750</span>, <span class="seriesInfo">DOI 10.17487/RFC6750</span>, <time datetime="2012-10" class="refDate">October 2012</time>, <span><<a href="https://www.rfc-editor.org/rfc/rfc6750">https://www.rfc-editor.org/rfc/rfc6750</a>></span>. </dd>
<dd class="break"></dd>
<dt id="RFC6797">[RFC6797]</dt>
<dd>
<span class="refAuthor">Hodges, J.</span>, <span class="refAuthor">Jackson, C.</span>, and <span class="refAuthor">A. Barth</span>, <span class="refTitle">"HTTP Strict Transport Security (HSTS)"</span>, <span class="seriesInfo">RFC 6797</span>, <span class="seriesInfo">DOI 10.17487/RFC6797</span>, <time datetime="2012-11" class="refDate">November 2012</time>, <span><<a href="https://www.rfc-editor.org/rfc/rfc6797">https://www.rfc-editor.org/rfc/rfc6797</a>></span>. </dd>
<dd class="break"></dd>
<dt id="RFC7636">[RFC7636]</dt>
<dd>
<span class="refAuthor">Sakimura, N., Ed.</span>, <span class="refAuthor">Bradley, J.</span>, and <span class="refAuthor">N. Agarwal</span>, <span class="refTitle">"Proof Key for Code Exchange by OAuth Public Clients"</span>, <span class="seriesInfo">RFC 7636</span>, <span class="seriesInfo">DOI 10.17487/RFC7636</span>, <time datetime="2015-09" class="refDate">September 2015</time>, <span><<a href="https://www.rfc-editor.org/rfc/rfc7636">https://www.rfc-editor.org/rfc/rfc7636</a>></span>. </dd>
<dd class="break"></dd>
<dt id="RFC8174">[RFC8174]</dt>
<dd>
<span class="refAuthor">Leiba, B.</span>, <span class="refTitle">"Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words"</span>, <span class="seriesInfo">BCP 14</span>, <span class="seriesInfo">RFC 8174</span>, <span class="seriesInfo">DOI 10.17487/RFC8174</span>, <time datetime="2017-05" class="refDate">May 2017</time>, <span><<a href="https://www.rfc-editor.org/rfc/rfc8174">https://www.rfc-editor.org/rfc/rfc8174</a>></span>. </dd>
<dd class="break"></dd>
<dt id="RFC8252">[RFC8252]</dt>
<dd>
<span class="refAuthor">Denniss, W.</span> and <span class="refAuthor">J. Bradley</span>, <span class="refTitle">"OAuth 2.0 for Native Apps"</span>, <span class="seriesInfo">BCP 212</span>, <span class="seriesInfo">RFC 8252</span>, <span class="seriesInfo">DOI 10.17487/RFC8252</span>, <time datetime="2017-10" class="refDate">October 2017</time>, <span><<a href="https://www.rfc-editor.org/rfc/rfc8252">https://www.rfc-editor.org/rfc/rfc8252</a>></span>. </dd>
<dd class="break"></dd>
<dt id="RFC8414">[RFC8414]</dt>
<dd>
<span class="refAuthor">Jones, M.</span>, <span class="refAuthor">Sakimura, N.</span>, and <span class="refAuthor">J. Bradley</span>, <span class="refTitle">"OAuth 2.0 Authorization Server Metadata"</span>, <span class="seriesInfo">RFC 8414</span>, <span class="seriesInfo">DOI 10.17487/RFC8414</span>, <time datetime="2018-06" class="refDate">June 2018</time>, <span><<a href="https://www.rfc-editor.org/rfc/rfc8414">https://www.rfc-editor.org/rfc/rfc8414</a>></span>. </dd>
<dd class="break"></dd>
<dt id="RFC8725">[RFC8725]</dt>
<dd>
<span class="refAuthor">Sheffer, Y.</span>, <span class="refAuthor">Hardt, D.</span>, and <span class="refAuthor">M. Jones</span>, <span class="refTitle">"JSON Web Token Best Current Practices"</span>, <span class="seriesInfo">BCP 225</span>, <span class="seriesInfo">RFC 8725</span>, <span class="seriesInfo">DOI 10.17487/RFC8725</span>, <time datetime="2020-02" class="refDate">February 2020</time>, <span><<a href="https://www.rfc-editor.org/rfc/rfc8725">https://www.rfc-editor.org/rfc/rfc8725</a>></span>. </dd>
<dd class="break"></dd>
<dt id="RFC9126">[RFC9126]</dt>
<dd>
<span class="refAuthor">Lodderstedt, T.</span>, <span class="refAuthor">Campbell, B.</span>, <span class="refAuthor">Sakimura, N.</span>, <span class="refAuthor">Tonge, D.</span>, and <span class="refAuthor">F. Skokan</span>, <span class="refTitle">"OAuth 2.0 Pushed Authorization Requests"</span>, <span class="seriesInfo">RFC 9126</span>, <span class="seriesInfo">DOI 10.17487/RFC9126</span>, <time datetime="2021-09" class="refDate">September 2021</time>, <span><<a href="https://www.rfc-editor.org/rfc/rfc9126">https://www.rfc-editor.org/rfc/rfc9126</a>></span>. </dd>
<dd class="break"></dd>
<dt id="RFC9207">[RFC9207]</dt>
<dd>
<span class="refAuthor">Meyer zu Selhausen, K.</span> and <span class="refAuthor">D. Fett</span>, <span class="refTitle">"OAuth 2.0 Authorization Server Issuer Identification"</span>, <span class="seriesInfo">RFC 9207</span>, <span class="seriesInfo">DOI 10.17487/RFC9207</span>, <time datetime="2022-03" class="refDate">March 2022</time>, <span><<a href="https://www.rfc-editor.org/rfc/rfc9207">https://www.rfc-editor.org/rfc/rfc9207</a>></span>. </dd>
<dd class="break"></dd>
<dt id="RFC9449">[RFC9449]</dt>
<dd>
<span class="refAuthor">Fett, D.</span>, <span class="refAuthor">Campbell, B.</span>, <span class="refAuthor">Bradley, J.</span>, <span class="refAuthor">Lodderstedt, T.</span>, <span class="refAuthor">Jones, M.</span>, and <span class="refAuthor">D. Waite</span>, <span class="refTitle">"OAuth 2.0 Demonstrating Proof of Possession (DPoP)"</span>, <span class="seriesInfo">RFC 9449</span>, <span class="seriesInfo">DOI 10.17487/RFC9449</span>, <time datetime="2023-09" class="refDate">September 2023</time>, <span><<a href="https://www.rfc-editor.org/rfc/rfc9449">https://www.rfc-editor.org/rfc/rfc9449</a>></span>. </dd>
<dd class="break"></dd>
<dt id="RFC9525">[RFC9525]</dt>
<dd>
<span class="refAuthor">Saint-Andre, P.</span> and <span class="refAuthor">R. Salz</span>, <span class="refTitle">"Service Identity in TLS"</span>, <span class="seriesInfo">RFC 9525</span>, <span class="seriesInfo">DOI 10.17487/RFC9525</span>, <time datetime="2023-11" class="refDate">November 2023</time>, <span><<a href="https://www.rfc-editor.org/rfc/rfc9525">https://www.rfc-editor.org/rfc/rfc9525</a>></span>. </dd>
<dd class="break"></dd>
<dt id="RFC9700">[RFC9700]</dt>
<dd>
<span class="refAuthor">Lodderstedt, T.</span>, <span class="refAuthor">Bradley, J.</span>, <span class="refAuthor">Labunets, A.</span>, and <span class="refAuthor">D. Fett</span>, <span class="refTitle">"Best Current Practice for OAuth 2.0 Security"</span>, <span class="seriesInfo">BCP 240</span>, <span class="seriesInfo">RFC 9700</span>, <span class="seriesInfo">DOI 10.17487/RFC9700</span>, <time datetime="2025-01" class="refDate">January 2025</time>, <span><<a href="https://www.rfc-editor.org/rfc/rfc9700">https://www.rfc-editor.org/rfc/rfc9700</a>></span>. </dd>
<dd class="break"></dd>
</dl>
</section>
</div>
<div id="notices">
<section id="appendix-A">
<h2 id="name-notices">
<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#appendix-A" class="section-number selfRef">Appendix A. </a><a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#name-notices" class="section-name selfRef">Notices</a>
</h2>
<p id="appendix-A-1">Copyright (c) 2025 The OpenID Foundation.<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#appendix-A-1" class="pilcrow">¶</a></p>
<p id="appendix-A-2">The OpenID Foundation (OIDF) grants to any Contributor, developer,
implementer, or other interested party a non-exclusive, royalty free,
worldwide copyright license to reproduce, prepare derivative works from,
distribute, perform and display, this Implementers Draft, Final
Specification, or Final Specification Incorporating Errata Corrections
solely for the purposes of (i) developing specifications,
and (ii) implementing Implementers Drafts, Final Specifications,
and Final Specification Incorporating Errata Corrections based
on such documents, provided that attribution be made to the OIDF as the
source of the material, but that such attribution does not indicate an
endorsement by the OIDF.<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#appendix-A-2" class="pilcrow">¶</a></p>
<p id="appendix-A-3">The technology described in this specification was made available
from contributions from various sources, including members of the OpenID
Foundation and others. Although the OpenID Foundation has taken steps to
help ensure that the technology is available for distribution, it takes
no position regarding the validity or scope of any intellectual property
or other rights that might be claimed to pertain to the implementation
or use of the technology described in this specification or the extent
to which any license under such rights might or might not be available;
neither does it represent that it has made any independent effort to
identify any such rights. The OpenID Foundation and the contributors to
this specification make no (and hereby expressly disclaim any)
warranties (express, implied, or otherwise), including implied
warranties of merchantability, non-infringement, fitness for a
particular purpose, or title, related to this specification, and the
entire risk as to implementing this specification is assumed by the
implementer. The OpenID Intellectual Property Rights policy
(found at openid.net) requires
contributors to offer a patent promise not to assert certain patent
claims against other contributors and against implementers.
OpenID invites any interested party to bring to its attention any
copyrights, patents, patent applications, or other proprietary rights
that may cover technology that may be required to practice this
specification.<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#appendix-A-3" class="pilcrow">¶</a></p>
</section>
</div>
<div id="document-history">
<section id="appendix-B">
<h2 id="name-document-history">
<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#appendix-B" class="section-number selfRef">Appendix B. </a><a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#name-document-history" class="section-name selfRef">Document History</a>
</h2>
<p id="appendix-B-1">[[ To be removed from the final specification ]]<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#appendix-B-1" class="pilcrow">¶</a></p>
<p id="appendix-B-2">-00<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#appendix-B-2" class="pilcrow">¶</a></p>
<ul class="normal">
<li class="normal" id="appendix-B-3.1">
<p id="appendix-B-3.1.1">Initial draft<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#appendix-B-3.1.1" class="pilcrow">¶</a></p>
</li>
<li class="normal" id="appendix-B-3.2">
<p id="appendix-B-3.2.1">Moved the sections Network Layer Requirements and Cryptography and Secrets from the IPSIE SL1 OIDC profile draft.<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#appendix-B-3.2.1" class="pilcrow">¶</a></p>
</li>
</ul>
</section>
</div>
<div id="acknowledgments">
<section id="appendix-C">
<h2 id="name-acknowledgments">
<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#name-acknowledgments" class="section-name selfRef">Acknowledgments</a>
</h2>
<p id="appendix-C-1">TODO acknowledge Aaron Parecki for his initial documentation of the Network Layer Requirements and Cryptography and Secrets from the IPSIE SL1 OIDC profile draft. Acknowledge feedback and contributions from the IPSIE WG.<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#appendix-C-1" class="pilcrow">¶</a></p>
</section>
</div>
<div id="authors-addresses">
<section id="appendix-D">
<h2 id="name-authors-address">
<a href="https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html#name-authors-address" class="section-name selfRef">Author's Address</a>
</h2>
<address class="vcard">
<div dir="auto" class="left"><span class="fn nameRole">Dean H. Saxe</span></div>
<div dir="auto" class="left"><span class="org">Full Frontal Nerdity Industries</span></div>
<div class="email">
<span>Email:</span>
<a href="mailto:dean@thesax.es" class="email">dean@thesax.es</a>
</div>
</address>
</section>
</div>
<script>const toc = document.getElementById("toc");
toc.querySelector("h2").addEventListener("click", e => {
toc.classList.toggle("active");
});
toc.querySelector("nav").addEventListener("click", e => {
toc.classList.remove("active");
});
</script>
</body></html>