On Thu, Apr 19, 2012 at 10:24 AM, Russ Allbery <[email protected]> wrote: > Fletcher Cocquyt <[email protected]> writes: > >> Is this a design limitation ? Which is weird since it seems like a >> common use case to combine IP address into the LOA? > > I personally don't see a defensible security justification for allowing > the originating IP address to influence the LoA.
I would agree with that. Now, you might be able to justify the actual physical location for a consideration in the LoA (as in someone is more likely to accept your identify when you are standing in front of them waving around an ID card, and for which one can take my picture), but an IP address does not give you that same level of assurance since the true location of the source can be "anywhere" (just watch all those bad movies or TV shows that talk about the <evil_person> bouncing their traffic around the world and they are really located in <evil_person_location>). Gary
