Assurance

["Joe St Sauver" <>]

mrg commented:

#800-63 is a useful document.  It is intended for USGov agencies and NGOs.  
#We are not they.  When we say Silver is 800-63, even in certain respects, 
#I completely disagree.   We are NOT they.  

At the risk triggering special paper airplane targetting when we next 
eat together, let me just share a somewhat different perspective...

Clearly, higher ed is not the US government, in that respect, you're 
absolutely right.

However, in many cases, we do need to work closely with them. This might
be NSF or NIH or DOE research grants, for example, or use of supercomputers 
or other federally administered research facilities. 

Or it might be federal financial aid programs, or other student-related 
programs in conjunction with the Department of Education, just to 
mention another possible area where universities and federal agencies
seem to often intersect.

If we're all following the same standards, imperfect/frustrating though
those existing stanard may be, we might hope that those interactions 
would be simpler (probably a vain hope, but at times I indulge myself 
and allow myself to be at least a little bit of an optimistic idealist).

Heck, if the international community can agree on common standards for
machine readable passports, or the states can (largely) agree on common
standards for drivers licenses, surely we should be able to come close
to similar congruence for high assurance identities...

Or we might do something different, unique to (part of) higher ed. 

Having done so, is there much chance that the feds will come about and
begin to follow our new course? I think not. HSDP-12, for example, 
ensured that virtually all federal employees and contracts will be using
HSPD-12-compliant credentials. That ship has sailed.

What of the broader marketplace? Is Facebook or Google likely to adopt
credentials that follow *either* the federal standard, or higher
education's standard for strong assurance credentials? Unfortunately,
probably not. 

And that's really unfortunate. I'd really, really, really like to see a
standardized and potentially interoperable credential for all those who 
might need or want it, with privacy preserving options for those who 
might worry about privacy/big brother having too easy of a time of it.

If we can't do 800-63, I think it would behoove us to pursue a formal
industry standard that we all could live with, probably via the IETF.
It might start with 800-63, or Silver, or something else, but at least
it would be a standard from a standards body that has a chance of 
universal acceptance. That's the real key, I think -- having something
that's standardized, and thus broadly accepted. 

Just my two cents, paper airplane ack-ack guns at the ready :-)

Regards,

Joe