Assurance

[Tom Scavo <>]

> The risk assessment concludes that the "Federation Manager is a
> moderate-impact system" and it references the "Potential Impact
> Categories for Authentication Errors" table from OMB M-04-04, but
> does not say which LoA was identified.  It looks to me that
> "moderate-impact" could land it in LoA 2 or LoA 3 depending on which
> risk categories earned the system as a whole the moderate-impact
> designation.  Did a "required LoA" result from this risk assessment?

Thanks for reading through this, Mark. There are probably as many 
interpretations of the risk assessment as there are readers. That said, focus 
for a moment on the first row in the table where the impact level is "equal 
to the impact level of the IdP's highest assurance profile." In other words, 
the entire trust fabric of the Federation depends on the integrity of the IdP 
signing certificates in metadata. Doesn't matter how much effort participants 
put into their IdP deployments, if a bad guy can impersonate one of your site 
admins, it's game over.

I conclude from that simple analysis that we not only need two-factor 
authentication but we also need other compensating controls as well, at least 
for high-risk elements in metadata (such as IdP certificates and endpoints).

Tom