Assurance

[Tom Scavo <>]

> ICAM did not certify Google. OIX did.
> http://www.idmanagement.gov/pages.cfm/page/ICAM-TrustFramework-IDP

But ICAM certified OIX as a TFP, so indirectly ICAM certified Google.

> And regarding Google not being certified at Silver, InCommon does
> offer the option of submitting comparable alternatives.

I was talking about Bronze, but in any case, this strengthens my point. IdPs 
are not certified subject to 800-63. They are not even certified according to 
a strict reading of the InC IAP. I think this is fine but it does make things 
more difficult at the SP.

> I think
> Google's bigger problem is that they are a corporate entity and are
> not eligible to participate in InCommon's Assurance Program.

It is true that corporate entities are not eligible to be certified Bronze or 
Silver, but ALL IdPs in the InCommon Federation will ultimately be 
categorized with respect to their trustworthiness. This is an essential 
function of any mature federation.

Tom

> ----- Original Message -----
> > 
> > 
> > > The fact that Google and others have gone to the trouble of
> > > becoming
> > > ICAM approved is evidence that 800-63 is gaining traction as a
> > > standard "in the broader marketplace".
> > 
> > No, I don't think so. Google is simply acknowledging the fact that
> > IdPs will ultimately be categorized with respect to their
> > trustworthiness. Jumping on the ICAM bandwagon is perhaps the best
> > way to distinguish yourself as an IdP, at least for the moment.
> > 
> > Note that Google could not possibly certify as InCommon Bronze
> > since
> > they don't meet the password entropy requirements. However, Google
> > employs risk-based authentication measures that mitigate some of
> > the
> > same threats that password entropy addresses. AFAIK, there's
> > nothing
> > about risk-based authentication in 800-63 but apparently ICAM
> > thinks
> > Google's approach deserves LoA-1.
> > 
> > Tom
> > 
>