At least in the Moonshot implementation we plan on handling this through the Communities of Interest concept in draft-mrw-abfab-trust-router. As Hannes points out LOA really implies more of a system concept than just how the user is authenticated. So, some proxies may not be up to carrying particular LOA traffic.
So a particular request would enter the system in a community with a particular LOA requirement. That would influence which proxies were considered appropriate and potentially keying between proxies. In some cases there may be a RADIUS hop before trust router starts, or RADIUS hops that carry multiple COIs, similar to how other labeled traffic is handled. We'd need some sort of RADIUS attribute for distinguishing COI in this case. Obviously, this is very specific to our implementation at the moment, and we don't have code for this yet. However it very much is a system property and so aspects of this are easier to think of in a system context like Moonshot than purely in a standardization context in order to see how it all fits together. Obviously it would be great to standardize as much of this as possible. _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
