Assurance

["William G. Thompson, Jr." <>]

This is somewhat of a (related?) problem for Unicon as well.  Unicon is both an InC Affiliate and Participant.  Unicon's IdP is sufficient to login to Internet2 wiki via InC metadata, but not much else.   Given we most often work with HE, we are constantly exercising various systems/forms/procedures for guest access.  If only there was some federated authentication technology we could use... :)

Perhaps having commercial partners in the IAP doesn't make sense, but Unicon would surely participate if it did.

Best,

Bill

On Fri, Aug 10, 2012 at 8:35 AM, Ann West <> wrote:

ICAM did not certify Google. OIX did.
http://www.idmanagement.gov/pages.cfm/page/ICAM-TrustFramework-IDP

And regarding Google not being certified at Silver, InCommon does offer the option of submitting comparable alternatives. I think Google's bigger problem is that they are a corporate entity and are not eligible to participate in InCommon's Assurance Program.

Ann

----- Original Message -----
>
>
> > The fact that Google and others have gone to the trouble of
> > becoming
> > ICAM approved is evidence that 800-63 is gaining traction as a
> > standard "in the broader marketplace".
>
> No, I don't think so. Google is simply acknowledging the fact that
> IdPs will ultimately be categorized with respect to their
> trustworthiness. Jumping on the ICAM bandwagon is perhaps the best
> way to distinguish yourself as an IdP, at least for the moment.
>
> Note that Google could not possibly certify as InCommon Bronze since
> they don't meet the password entropy requirements. However, Google
> employs risk-based authentication measures that mitigate some of the
> same threats that password entropy addresses. AFAIK, there's nothing
> about risk-based authentication in 800-63 but apparently ICAM thinks
> Google's approach deserves LoA-1.
>
> Tom
>