Assurance

["Cantor, Scott" <>]

On 8/10/12 1:12 PM, "Jones, Mark B" 
<>
 wrote:

>Google has positioned itself as a provider of externally-issued
>credentials that federal agencies are now required by OMB to accept for
>LoA 1 web sites 
>(http://www.cio.gov/documents/OMBReqforAcceptingExternally_IssuedIdCred10-
>6-2011.pdf).  Google is already an authentication option on many sites
>such as the National Center for Biotechnology Information
>(http://www.ncbi.nlm.nih.gov/sites/myncbi/).  To me Google's motives
>appear to be more than a play for good will.  They are not looking for
>the appearance of trustworthiness.  ICAM has certified them trustworthy
>at LoA1 
>(http://www.idmanagement.gov/pages.cfm/page/ICAM-TrustFramework-IDP).

None of which has anything to do with 800-63 other than comparability.
Google does not follow its practices and is not claiming to. All they did
was argue that what they do meets the equivalence test for risk at LOA 1
(and they will eventually do so for LOA 2 I imagine).

That's what Bronze and Silver are, except that they were descended more
directly from 800-63.

-- Scott