Skip to Content.
Sympa Menu

assurance - RE: [Assurance] RE: [confluence] InC-Assurance > Remote-Proofing Approaches

Subject: Assurance

List archive

RE: [Assurance] RE: [confluence] InC-Assurance > Remote-Proofing Approaches


Chronological Thread 
  • From: "Jones, Mark B" <>
  • To: "" <>
  • Subject: RE: [Assurance] RE: [confluence] InC-Assurance > Remote-Proofing Approaches
  • Date: Fri, 10 Aug 2012 12:12:26 -0500
  • Accept-language: en-US
  • Acceptlanguage: en-US

Google has positioned itself as a provider of externally-issued credentials
that federal agencies are now required by OMB to accept for LoA 1 web sites
(http://www.cio.gov/documents/OMBReqforAcceptingExternally_IssuedIdCred10-6-2011.pdf).
Google is already an authentication option on many sites such as the
National Center for Biotechnology Information
(http://www.ncbi.nlm.nih.gov/sites/myncbi/). To me Google's motives appear
to be more than a play for good will. They are not looking for the
appearance of trustworthiness. ICAM has certified them trustworthy at LoA1
(http://www.idmanagement.gov/pages.cfm/page/ICAM-TrustFramework-IDP).




-----Original Message-----
From:


[mailto:]
On Behalf Of Tom Scavo
Sent: Friday, August 10, 2012 7:24 AM
To:

Subject: Re: [Assurance] RE: [confluence] InC-Assurance > Remote-Proofing
Approaches



> The fact that Google and others have gone to the trouble of becoming
> ICAM approved is evidence that 800-63 is gaining traction as a
> standard "in the broader marketplace".

No, I don't think so. Google is simply acknowledging the fact that IdPs will
ultimately be categorized with respect to their trustworthiness. Jumping on
the ICAM bandwagon is perhaps the best way to distinguish yourself as an IdP,
at least for the moment.

Note that Google could not possibly certify as InCommon Bronze since they
don't meet the password entropy requirements. However, Google employs
risk-based authentication measures that mitigate some of the same threats
that password entropy addresses. AFAIK, there's nothing about risk-based
authentication in 800-63 but apparently ICAM thinks Google's approach
deserves LoA-1.

Tom



Archive powered by MHonArc 2.6.16.

Top of Page