Assurance

[Brendan Bellina <>]

On Jan 24, 2012, at 11:15 AM, Eric Goodman wrote:

On Tue, Jan 24, 2012 at 10:27 AM, Jones, Mark B <> wrote:

And a question...  Shouldn't a non-person entity be able to qualify for a "InCommon Silver(-like) IAQ".  Don't we want to be as assured that the computers we are talking to are identified as well as the people are identified?

I'm not arguing whether it's desireable, just questioning whether or not it's legal given the current IAP.

From the requirements for InCommon Silver, verifying that there's a real person, checking ID's etc. are all things you're supposed to do as part of asserting the assurance. While I can imagine generating equivalent kinds of security checks for a computer, I don't see that the current InCommon Silver IAP allows for anything like that for a non-human agent.

> I'm a little confused, is the application being run locally or by the vendor as a service?

I'm sure the latter, I've had the same sort of inquiry.

> Are they monitoring the application or are they monitoring the authentication mechanism?

They probably want to monitor both because they'll be blamed for either failing. That's just a common problem whenever people support an authentication mechanism they're fundamentally uncomfortable with.

-- Scott

Correct on both counts. And as noted earlier, with the vendor not having implemented an authentication backdoor or their own IdP, they can't even get to their application pages to monitor them without an IdP-provided account with an InCommon Silver(-like) assurance assertion. Hence their insistence that we provide an account.  

But I am hearing the consensus that people here agree that the vendor should really be expected to resolve the issue, either by adding an authentication backdoor or by running their own IdP.

--- Eric

Could they use a guest account in your IdP restricted to their SP? Not the same as a machine account but it would allow them to login unless you expire the account.

Brendan