> As Matt pointed out, I think it is important to distinguish Proofing LOA > from Authentication LOA.
These really aren't two separate concerns. Matt noted that proofing and inherent credential strength are inputs to LOA. There are other concerns as well that are involved for certain types of credentials: - Security of communication channel - Revocation policy I share this to point out that there are a number of considerations that impinge upon LOA. It seems to me that attempting to convey all of these between client and server is practically impossible for all conceivable credential types; moreover it's information that in most environments would be shared knowledge. The relying parties would simply need to agree on a vocabulary to describe a particular credential; the resulting LOA would naturally be derived from it. It seems to me conveying the server's sense of LOA along with descriptive authentication method identifiers (e.g. authentication context URNs defined in http://docs.oasis-open.org/security/saml/v2.0/saml-authn-context-2.0-os.pdf) would be sufficient to allow clients to make authorization decisions. M -- You are currently subscribed to cas-dev@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
