Release 1.0
Date 01/05/2004
  • All services using the Enterprise Directory’s person credentials, currently known as the UUPID and password, must collect and transmit these credentials over a secured communication that ensure end-to-end information integrity and confidentiality such as SSL or TLS.
  • Services will connect to the ED-Auth and ED-ID systems using only LDAPS (SSL version 3) or LDAP over TLS (TLS version 1).
  • Any service wishing to connect to the Enterprise Directory system will have at least one active full-time salaried employee designated as the responsible party and one current technical contact person for the service.
  • Service administrators will not share or proxy their service’s credentials in any manner except with the Enterprise Directory system.
  • Services will use a person’s UID, not their UUPID, as the principal identifier for that person, though the UUPID may be used to authenticate a person and retrieve their UID.
  • Services will not store any directory information, with the exception of the UID, for longer than a user’s application session, at the end of which the information must be destroyed. Services electing to cache a person’s information will only store the information in memory (preferably in an obfuscated manner).
  • Services will respect a person’s privacy flags such that:
    • Services of type “personal” will only display a person’s suppressed information to that person.
    • Services of type “private” or “public” will never display a person’s suppressed information.
    • A service will only expose a person’s membership in a group to other members of that group if the person’s privacy flag for that group is set to “group”.
    • A service will never expose a person’s membership in a group if the person’s group privacy flag is set to “private”.
    • Services used by administrative staff may display any of the above information if it is required to perform their job.
  • Middleware and IMS staff reserve the right to periodically audit, either passively or actively, services to ensure they comply with all rules stated above, or appoint a third party to do so.
  • IMS reserves the right to update these rules as necessary.

Approved for release on 01/05/2004