RULE NO.: RULE TITLE:
74-5.001: Purpose and Applicability; Definitions
74-5.003: Identity Management
NOTICE OF CHANGE
Notice is hereby given that the following changes have been made to the proposed rule in accordance with subparagraph 120.54(3)(d)1., F.S., published in Vol. 43 No. 64, April 3, 2017 issue of the Florida Administrative Register.
74-5.001 Purpose and Applicability; Definitions.
(1) Purpose. The purpose of the Identity Management rule is to ensure that Identity Management Services provide secure, reliable and interoperable mechanisms for authenticating the identity of devices, application services, and Users that consume state information and application resources. This rule is modeled after the Identity Ecosystem Framework Baseline Functional Requirements v1.0, October 15, 2015.
(2) No change.
(3) Definitions.
(a) The following terms are defined:
1. through 8. No change.
9. Bona Fides – documentation evidence that provides insight into an organization’s maturity, legitimacy, stability, and reputation.
10. through 45. No change.
Rulemaking Authority 282.0051(19) FS. Law Implemented 282.0051(2) FS. History-New .
74-5.003 Identity Management.
(1) No change.
(2) Interoperability.
(a) No change.
(b) Standardized Credentials. Identity Provider services must be consumable by more than one Relying Party and must utilize one or more of the following Standards:
1. The Kerberos Network of Authentication Service Version 5, The Internet Society, 2005, which is hereby incorporated into this rule by reference and may be found at: ;
2. The OAuth 2.0 Authorization Framework, Internet Engineering Task Force, October 2012, which is hereby incorporated into this rule by reference and may be found at: ;
3. OpenID Standard Connect Version 1.0, The OpenID Foundation, 2013, a copy of which may be obtained from The OpenID Foundation, 2400 Camino Ramon, Suite 375, San Ramon, CA 94583, or www.openid.net;
4. Organization for the Advancement of Structured Information Standards (OASIS) PKCS #11 Cryptographic Token Interface Historical Mechanisms Specification, Version 2.4, Technical Committee, April 14, 2015, which is hereby incorporated into this rule by reference and may be found at: ;
5. Assertions and Protocol for the OASIS Security Assertion Markup Language, Version 1.1, Security Services Technical Committee; 2013, which is hereby incorporated into this rule by reference and may be found at: ;
6. Authentication Context for the OASIS Security Assertion Markup Language, Version 2.0, Security Services Technical Committee, 2005, which is hereby incorporated into this rule by reference and may be found at: ;
7. OASIS Web Service Security: Simple Object Access Protocol (SOAP) Message Security, Version 1.1, Web Services Security Technical Committee, February 1, 2006, which is hereby incorporated into this rule by reference and may be found at: ;
8. Universal Authentication Framework, Version 1.1, The FIDO Alliance, October 2016, which is hereby incorporated into this rule by reference and may be found at: ;
9. Universal 2nd Factor Overview, Version 1.1, The FIDO Alliance, September 2016, which is hereby incorporated into this rule by reference and may be found at: ;
10. OASIS Web Service Federation Language, Version 1.2, May 22, 2009, which is hereby incorporated into this rule by reference and may be found at: ;
11. Web Services Policy 1.2 – Framework (WS-Policy), World Wide Web Consortium (W3C), April 25, 2006, which is hereby incorporated into this rule by reference and may be found at: ;
12. OASIS WS-SecureConversation, Version 1.3, OASIS Technical Committee, March 1, 2007, which is hereby incorporated into this rule by reference and may be found at: ;
13. OASIS Web Services Security Kerberos Token Profile, Version 1.1.1, The Technical Committee, May 18, 2012, which is hereby incorporated into this rule by reference and may be found at: ;
14. OASIS Web Services Security Rights Expression Language (REL) Token Profile, Version 1.1.1, The Technical Committee, May 18, 2012, which is hereby incorporated into this rule by reference and may be found at: ;
15. OASIS Web Services Security SAML Token Profile, Version 1.1.1, The Technical Committee, May 18, 2012, which is hereby incorporated into this rule by reference and may be found at: ;
16. OASIS Web Services Security: SOAP Message Security, Version 1.1.1, The Technical Committee, May 18, 2012, which is hereby incorporated into this rule by reference and may be found at: ;
17. OASIS Web Services Security Username Token Profile Version 1.1.1; The Technical Committee, May 18, 2012, which is hereby incorporated into this rule by reference and may be found at: ;
18. OASIS Web Services Security X.509 Certificate Token Profile, Version 1.1.1, The Technical Committee, May 18, 2012, which is hereby incorporated into this rule by reference and may be found at: ;
19. OASIS WS-SecurityPolicy, Version 1.3, OASIS Standard incorporating Approved Errata 01, The Technical Committee, April 25, 2014, which is hereby incorporated into this rule by reference and may be found at: ;
20. OASIS WS-Trust, Version 1.4, The Technical Committee, April 25, 2012, which is hereby incorporated into this rule by reference and may be found at: ;
21. X.509 PKI, An Internet Attribute Certificate Profile for Authorization, Networking Working Group, April 2002, which is hereby incorporated into this rule by reference and may be found at: ;
22. X.509 PKI, Certificate Management Messages over CMS, Network Working Group, April 2000, which is hereby incorporated into this rule by reference and may be found at: ;
23. Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework, Networking Working Group, March 1999, which is hereby incorporated into this rule by reference and may be found at: ;
24. Internet X.509 Certificate Request Message Format, Network Working Group, March 1999, which is hereby incorporated into this rule by reference and may be found at: ;
25. X.509 Internet Public Key Infrastructure Online Certificate Status Protocol – OCSP, Network Working Group, June 1999, which is hereby incorporated into this rule by reference and may be found at: ;
26. Internet X.509 Public Key Infrastructure (PKI) Proxy Certificate Profile, Network Working Group, June 2004, which is hereby incorporated into this rule by reference and may be found at: ;
27. Internet X.509 Public Key Infrastructure Qualified Certificates Profile, Network Working Group, January 2001, which is hereby incorporated into this rule by reference and may be found at: ;
28. Internet X.509 Public Key Infrastructure Time-Stamp Protocol (TSP), Network Working Group, August 2001, which is hereby incorporated into this rule by reference and may be found at: ;
29. W3C SOAP Version 1.2 Part 1: Messaging Framework (Second Ed.), April 27, 2007, which is hereby incorporated into this rule by reference and may be found at: .
(c) through (g). No change.
(3) Privacy.
(a) through (h). No change.
(i) User Notification of Changes: Identity Providers and Relying Parties must, upon any changes to a service or process that affects the prior or ongoing collection, generation, use, transmission, storage, or retention of Users’ users’ Personal Information, notify those Users users in writing within 30 days, and provide them with Compensating Controls compensating controls designed to mitigate privacy risks that may arise from those changes, which may include permitting the User to withdraw from the service or process seeking express affirmative consent of users in accordance with relevant law or regulation.
(j) through (k). No change.
(l) Data Retention and Disposal: Relying Parties must limit the retention of Personal Information to the time necessary for providing and administering the functions and services to users for which the information was collected, and adhere to all applicable legal and record retention requirements. When no longer needed, Personal Information must be appropriately disposed of accordance with all applicable legal and record retention requirements.
(m). No change.
(4) Security.
(a) through (f). No change.
Rulemaking Authority 282.0051(19) FS. Law Implemented 282.0051(2) FS. History-New