-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/09/2011 09:13 AM, Tschofenig, Hannes (NSN - FI/Espoo) wrote:
> Hi Jim,
>
> Here is the challenge with the level of assurance concept: they are
> not just a matter of how the user was authenticated but the
> different levels are reflected in the overall system design.
If you read 800-63 or iso29115 or the Kantara IAF (or most other
trust frameworks sired from 800-63) you will find 4 aspects over
which loa is measured: business maturity and stability, identity
proofing, credentials management and authentication.
It is a common misstake to assume that authentication is the
only aspect.
>
> As such, it is not sufficient to just communicate from the IdP to
> the RP that a specific transaction is, for example, LoA 4. The RP
> should "know" that since the entire system has to be designed in
> such a way and the IdP and the RP are likely to have an agreement
> (out of band) to ensure the RP that the IdP does actually what it
> is claiming to do. (You may call this "trust relationship".)
>
Absolutely not. In most real-world situations LoA is "mixed" - users
may authenticate with different tokens for the same "identity" thus
having different "aggregate" LoA for any given authn event.
You *absolutely* have to figure out a way to communicate LoA and
both SAML and OpenID Connect have mechanisms for this.
> Having said that NIST SP 800-63 (as it is available today;
> revision pending) has a serious shortcoming. It focuses with the
> LoA concept heavily on identity proofing and authentication but
> does not consider the attribute assurance and privacy concepts that
> are associated with the release of data. In a complete system, like
> we are working on in ABFAB, this is very relevant.
This is an area that is seeing increased interest in both OIX and
Kantara for instance. However it may be that the gap are not
as great as one might think.
Cheers Leif
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk7iCrgACgkQ8Jx8FtbMZnf/HwCaApIEUarpoh9+g4aNeUBzhnCw
WqwAn3I+kBbGS799X3xfQf4B8wBggXZ7
=sNMU
-----END PGP SIGNATURE-----
_______________________________________________
abfab mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/abfab
