Assurance

["Jones, Mark B" <>]

I don't think the LoA of an authentication credential has anything to do with 
what attributes are released to the RP.  Even if the authentication was three 
factor, without strong identity proofing when the credential is issued how is 
the presenter of such a credential to be held accountable for actions 
performed with that credential?  It seems to me that the amount of identity 
proofing done has a greater impact on the LoA of a credential than the 
authentication mechanism.

I guess I'm questioning why a profile "at the top of the pyramid" would have 
less identity proofing.  

-----Original Message-----
From: 

 
[mailto:]
 On Behalf Of Tom Scavo
Sent: Wednesday, November 28, 2012 10:14 AM
To: 

Subject: Re: [Assurance] silver, 2-factor, password requirements



> Are you saying that you consider this custom profile to be stronger 
> authentication than Silver?

No, I'm not suggesting that at all. Its authentication strength is greater 
than Silver (~LoA-3) but the identity proofing requirements are significantly 
less.

The identity proofing requirements are similar to other SaaS applications, 
that is, the SaaS app doesn't care that my real name is "Tom Scavo," it gives 
access to whomever the IdP says (via a provisioning process of some type).

> What NIST level would it map to?

None that I'm aware of.

Tom