Assurance

["Cantor, Scott" <>]

On 9/20/11 8:45 AM, "Curry, Warren" 
<>
 wrote:

>I would like to see the case of the null value handled.  This is the case
>that is many individual account at UF will not attain Bronze or Silver
>certification.  They run in the same IdP and could attempt to access a
>service with null value.  It would be a better data solution to provide
>for a value when the assertion is null.  This easily distinguishes an
>implementation or data error vs a user who has not been given an InCommon
>IAP level of Assurance.

To be clear, a literal null isn't possible in a response, there's always
an AuthnContext of some kind. The only question is what it is. Today it's
usually the PasswordProtectedTransport constant, with perhaps a few others
mixed in.

The problem comes in when an SP wants to ask for an IAQ, but allow for
anything. I found that an odd use case, but if it were necessary, the only
way to represent that is to use one of the comparison operators the IdP
doesn't support, or have an IAQ to use to represent "any" alongside Bronze
or Silver. The SP couldn't use, say, PasswordProtectedConstant, because it
wouldn't know for sure that the IdP was using that as a baseline.

-- Scott