assurance - RE: [Assurance] RE: [confluence] InC-Assurance > Remote-Proofing Approaches
Subject: Assurance
List archive
- From: "Jones, Mark B" <>
- To: "" <>
- Subject: RE: [Assurance] RE: [confluence] InC-Assurance > Remote-Proofing Approaches
- Date: Fri, 10 Aug 2012 13:29:48 -0500
- Accept-language: en-US
- Acceptlanguage: en-US
This all seems like an exercise in semantics to me. Google and InCommon have
been approved by ICAM. ICAM uses 800-63 as one standard that is used to
measure compliance. This suggests that ICAM is of the opinion that Google
and InCommon are substantially compliant with 800-63 or they would not be
approved.
I have yet to notice or be presented with a significant difference between
the IAP and 800-63 yet there is enthusiastic effort to maintain that they are
not the same. I feel like I am trying to argue that my car is maroon while
everyone else insists that it is dark red. Why is there such resistance to
being associated with 800-63?
-----Original Message-----
From:
[mailto:]
On Behalf Of Cantor, Scott
Sent: Friday, August 10, 2012 12:17 PM
To:
Subject: Re: [Assurance] RE: [confluence] InC-Assurance > Remote-Proofing
Approaches
On 8/10/12 1:12 PM, "Jones, Mark B"
<>
wrote:
>Google has positioned itself as a provider of externally-issued
>credentials that federal agencies are now required by OMB to accept for
>LoA 1 web sites
>(http://www.cio.gov/documents/OMBReqforAcceptingExternally_IssuedIdCred
>10- 6-2011.pdf). Google is already an authentication option on many
>sites such as the National Center for Biotechnology Information
>(http://www.ncbi.nlm.nih.gov/sites/myncbi/). To me Google's motives
>appear to be more than a play for good will. They are not looking for
>the appearance of trustworthiness. ICAM has certified them trustworthy
>at LoA1
>(http://www.idmanagement.gov/pages.cfm/page/ICAM-TrustFramework-IDP).
None of which has anything to do with 800-63 other than comparability.
Google does not follow its practices and is not claiming to. All they did was
argue that what they do meets the equivalence test for risk at LOA 1 (and
they will eventually do so for LOA 2 I imagine).
That's what Bronze and Silver are, except that they were descended more
directly from 800-63.
-- Scott
- Re: [Assurance] RE: [confluence] InC-Assurance > Remote-Proofing Approaches, (continued)
- Re: [Assurance] RE: [confluence] InC-Assurance > Remote-Proofing Approaches, Tom Scavo, 08/10/2012
- Re: [Assurance] RE: [confluence] InC-Assurance > Remote-Proofing Approaches, Ann West, 08/10/2012
- Re: [Assurance] RE: [confluence] InC-Assurance > Remote-Proofing Approaches, Tom Scavo, 08/10/2012
- Re: [Assurance] RE: [confluence] InC-Assurance > Remote-Proofing Approaches, William G. Thompson, Jr., 08/10/2012
- Re: [Assurance] RE: [confluence] InC-Assurance > Remote-Proofing Approaches, Cantor, Scott, 08/10/2012
- Re: [Assurance] RE: [confluence] InC-Assurance > Remote-Proofing Approaches, William G. Thompson, Jr., 08/10/2012
- Re: [Assurance] RE: [confluence] InC-Assurance > Remote-Proofing Approaches, Cantor, Scott, 08/10/2012
- Re: [Assurance] RE: [confluence] InC-Assurance > Remote-Proofing Approaches, Ian Young, 08/10/2012
- Re: [Assurance] RE: [confluence] InC-Assurance > Remote-Proofing Approaches, Tom Scavo, 08/10/2012
- RE: [Assurance] RE: [confluence] InC-Assurance > Remote-Proofing Approaches, Jones, Mark B, 08/10/2012
- Re: [Assurance] RE: [confluence] InC-Assurance > Remote-Proofing Approaches, Cantor, Scott, 08/10/2012
- RE: [Assurance] RE: [confluence] InC-Assurance > Remote-Proofing Approaches, Jones, Mark B, 08/10/2012
- Re: [Assurance] RE: [confluence] InC-Assurance > Remote-Proofing Approaches, Cantor, Scott, 08/10/2012
- RE: [Assurance] RE: [confluence] InC-Assurance > Remote-Proofing Approaches, Jones, Mark B, 08/10/2012
Archive powered by MHonArc 2.6.16.