Assurance

[Tom Scavo <>]

> I don't think the LoA of an authentication credential has anything to
> do with what attributes are released to the RP.

I didn't say that. I implied that the strength of an attribute, such as 
"person name," is directly related to the LoA of a transaction, which is 
certainly true. This is why some have claimed that separate attribute 
profiles are redundant in the face of identity assurance.

> Even if the
> authentication was three factor, without strong identity proofing
> when the credential is issued how is the presenter of such a
> credential to be held accountable for actions performed with that
> credential? 

I wonder if you're thinking of credential binding here? I agree that strong 
credential binding is important but that's not what I mean by identity 
proofing. I'm referring to section 4.2.2 in the Bronze/Silver profile. My app 
doesn't care about the legal identity of the user. I claim that most SaaS 
apps don't care about this either.

> It seems to me that the amount of identity proofing
> done has a greater impact on the LoA of a credential than the
> authentication mechanism.

When the legal identity is in question, yes, but there are many situations 
where that is not required.

> I guess I'm questioning why a profile "at the top of the pyramid"
> would have less identity proofing.

Well, I don't quite know what to tell you. When the profile is done, I will 
make it public so that you can poke holes in it. In any case, I'm quite sure 
I don't need section 4.2.2 at all.

Tom