Assurance

["Jones, Mark B" <>]

I don't think that the LoA of an authentication credential implies anything 
beyond the credential provider's confidence that the owner of the credential 
is the entity that is controlling and presenting the credential.  The 
reliability of attributes is utterly separate.  Just because a credential 
provider knows who they have credentialed does not mean that they are 
obligated to release the identity data collected when registering the user.

Regarding credential binding, yes, that is what concerns me.  If section 
4.2.2 is not to do with binding the physical person to the credential then 
which section covers that?

I'm not sure what you mean by "legal identity".  To me the question of what 
LoA is required is answered by evaluating the risk to your application as 
described in OMB M-04-04.  For example what are the consequences of someone 
impersonating a valid user or a valid user claiming that their credential was 
not under their control to avoid accountability.  If you don't care about the 
ability to hold the user accountable isn't Bronze sufficient?  If you do 
care, relaxing identity proofing seems counterproductive.


-----Original Message-----
From: 

 
[mailto:]
 On Behalf Of Tom Scavo
Sent: Wednesday, November 28, 2012 2:48 PM
To: 

Subject: Re: [Assurance] silver, 2-factor, password requirements



> I don't think the LoA of an authentication credential has anything to 
> do with what attributes are released to the RP.

I didn't say that. I implied that the strength of an attribute, such as 
"person name," is directly related to the LoA of a transaction, which is 
certainly true. This is why some have claimed that separate attribute 
profiles are redundant in the face of identity assurance.

> Even if the
> authentication was three factor, without strong identity proofing when 
> the credential is issued how is the presenter of such a credential to 
> be held accountable for actions performed with that credential?

I wonder if you're thinking of credential binding here? I agree that strong 
credential binding is important but that's not what I mean by identity 
proofing. I'm referring to section 4.2.2 in the Bronze/Silver profile. My app 
doesn't care about the legal identity of the user. I claim that most SaaS 
apps don't care about this either.

> It seems to me that the amount of identity proofing done has a greater 
> impact on the LoA of a credential than the authentication mechanism.

When the legal identity is in question, yes, but there are many situations 
where that is not required.

> I guess I'm questioning why a profile "at the top of the pyramid"
> would have less identity proofing.

Well, I don't quite know what to tell you. When the profile is done, I will 
make it public so that you can poke holes in it. In any case, I'm quite sure 
I don't need section 4.2.2 at all.

Tom