| Release | 1.0 |
| Date | 07/26/2004 |
All services using the Enterprise Directory's person credentials, currently known as the UUPID and password,
MUST collect and transmit these credentials over a secured communication channel that ensures end-to-end information integrity and confidentiality, such as
SSL or TLS.
Services
MUST connect to ED-ID using only LDAPS (
SSL version 3) or
LDAP over TLS (TLS version 1) and employ the SASL External authentication mechanism with a client certificate issued from the VT Middleware CA.
Any service wishing to connect to ED-ID MUST have at least one current technical contact person and one active full-time salaried employee designated as the responsible party for the service.
Services MUST NOT allow other applications access to ED-ID data or functionality.
Services MUST use a person's UID, not their UUPID, as the principal identifier for that person, though the UUPID may be used to authenticate a person and retrieve their UID.
Services MUST NOT store a user's password for longer than that user's application session.
Services SHOULD NOT store any information retrieved from ED-ID about a person for longer than a user's application session unless provisions are made to keep this data timely.
Services MUST respect a person's privacy flags such that:
Services of type “personal” MAY only display a person's suppressed information to that person.
Services of type “private” or “public” MUST NOT display a person's suppressed information.
Services used by administrative staff MAY display any of the above information if it is required to perform their job.
Middleware and IRM staff MAY periodically audit, either passively or actively, services to ensure they comply with all rules stated above, or appoint a third party to do so.
IRM MAY update these rules as necessary.
IAD Director __________________________________________________ Date _______________
IRM Representative ____________________________________________ Date _______________
