Assurance

["Jones, Mark B" <>]

This all seems like an exercise in semantics to me.  Google and InCommon have 
been approved by ICAM.  ICAM uses 800-63 as one standard that is used to 
measure compliance.  This suggests that ICAM is of the opinion that Google 
and InCommon are substantially compliant with 800-63 or they would not be 
approved.

I have yet to notice or be presented with a significant difference between 
the IAP and 800-63 yet there is enthusiastic effort to maintain that they are 
not the same.  I feel like I am trying to argue that my car is maroon while 
everyone else insists that it is dark red.  Why is there such resistance to 
being associated with 800-63?

-----Original Message-----
From: 

 
[mailto:]
 On Behalf Of Cantor, Scott
Sent: Friday, August 10, 2012 12:17 PM
To: 

Subject: Re: [Assurance] RE: [confluence] InC-Assurance > Remote-Proofing 
Approaches

On 8/10/12 1:12 PM, "Jones, Mark B" 
<>
 wrote:

>Google has positioned itself as a provider of externally-issued 
>credentials that federal agencies are now required by OMB to accept for 
>LoA 1 web sites
>(http://www.cio.gov/documents/OMBReqforAcceptingExternally_IssuedIdCred
>10- 6-2011.pdf).  Google is already an authentication option on many 
>sites such as the National Center for Biotechnology Information 
>(http://www.ncbi.nlm.nih.gov/sites/myncbi/).  To me Google's motives 
>appear to be more than a play for good will.  They are not looking for 
>the appearance of trustworthiness.  ICAM has certified them trustworthy 
>at LoA1 
>(http://www.idmanagement.gov/pages.cfm/page/ICAM-TrustFramework-IDP).

None of which has anything to do with 800-63 other than comparability.
Google does not follow its practices and is not claiming to. All they did was 
argue that what they do meets the equivalence test for risk at LOA 1 (and 
they will eventually do so for LOA 2 I imagine).

That's what Bronze and Silver are, except that they were descended more 
directly from 800-63.

-- Scott