Assurance

["Jones, Mark B" <>]

Google has positioned itself as a provider of externally-issued credentials 
that federal agencies are now required by OMB to accept for LoA 1 web sites 
(http://www.cio.gov/documents/OMBReqforAcceptingExternally_IssuedIdCred10-6-2011.pdf).
  Google is already an authentication option on many sites such as the 
National Center for Biotechnology Information 
(http://www.ncbi.nlm.nih.gov/sites/myncbi/).  To me Google's motives appear 
to be more than a play for good will.  They are not looking for the 
appearance of trustworthiness.  ICAM has certified them trustworthy at LoA1 
(http://www.idmanagement.gov/pages.cfm/page/ICAM-TrustFramework-IDP).




-----Original Message-----
From: 

 
[mailto:]
 On Behalf Of Tom Scavo
Sent: Friday, August 10, 2012 7:24 AM
To: 

Subject: Re: [Assurance] RE: [confluence] InC-Assurance > Remote-Proofing 
Approaches



> The fact that Google and others have gone to the trouble of becoming 
> ICAM approved is evidence that 800-63 is gaining traction as a 
> standard "in the broader marketplace".

No, I don't think so. Google is simply acknowledging the fact that IdPs will 
ultimately be categorized with respect to their trustworthiness. Jumping on 
the ICAM bandwagon is perhaps the best way to distinguish yourself as an IdP, 
at least for the moment.

Note that Google could not possibly certify as InCommon Bronze since they 
don't meet the password entropy requirements. However, Google employs 
risk-based authentication measures that mitigate some of the same threats 
that password entropy addresses. AFAIK, there's nothing about risk-based 
authentication in 800-63 but apparently ICAM thinks Google's approach 
deserves LoA-1.

Tom