Assurance

[Dennis Skovsted <>]

I have been listening to the discussion and I am wondering if the challenge being encountered, related to fact  that leadership has not yet provided clear enough definition on the goals for silver related to identity proofing and identity authenication in the context of a 4 level federation model (i.e, Bronze to Platinum).

It sounds to me like the question for leadership may be, if one is using a two factor solution and one has very good controls for  the token factor and marginal controls of the password factor, is that acceptable for Silver?   Or another way of stating the question, does one only need good contol of both factors when one gets to Gold or Platinum?

Dennis Skovsted 

On Wed, Nov 28, 2012 at 10:16 PM, Jones, Mark B <> wrote:

I don't think that the LoA of an authentication credential implies anything beyond the credential provider's confidence that the owner of the credential is the entity that is controlling and presenting the credential.  The reliability of attributes is utterly separate.  Just because a credential provider knows who they have credentialed does not mean that they are obligated to release the identity data collected when registering the user.

Regarding credential binding, yes, that is what concerns me.  If section 4.2.2 is not to do with binding the physical person to the credential then which section covers that?

I'm not sure what you mean by "legal identity".  To me the question of what LoA is required is answered by evaluating the risk to your application as described in OMB M-04-04.  For example what are the consequences of someone impersonating a valid user or a valid user claiming that their credential was not under their control to avoid accountability.  If you don't care about the ability to hold the user accountable isn't Bronze sufficient?  If you do care, relaxing identity proofing seems counterproductive.


-----Original Message-----
From: [mailto:] On Behalf Of Tom Scavo
Sent: Wednesday, November 28, 2012 2:48 PM
To:
Subject: Re: [Assurance] silver, 2-factor, password requirements



> I don't think the LoA of an authentication credential has anything to
> do with what attributes are released to the RP.

I didn't say that. I implied that the strength of an attribute, such as "person name," is directly related to the LoA of a transaction, which is certainly true. This is why some have claimed that separate attribute profiles are redundant in the face of identity assurance.

> Even if the
> authentication was three factor, without strong identity proofing when
> the credential is issued how is the presenter of such a credential to
> be held accountable for actions performed with that credential?

I wonder if you're thinking of credential binding here? I agree that strong credential binding is important but that's not what I mean by identity proofing. I'm referring to section 4.2.2 in the Bronze/Silver profile. My app doesn't care about the legal identity of the user. I claim that most SaaS apps don't care about this either.

> It seems to me that the amount of identity proofing done has a greater
> impact on the LoA of a credential than the authentication mechanism.

When the legal identity is in question, yes, but there are many situations where that is not required.

> I guess I'm questioning why a profile "at the top of the pyramid"
> would have less identity proofing.

Well, I don't quite know what to tell you. When the profile is done, I will make it public so that you can poke holes in it. In any case, I'm quite sure I don't need section 4.2.2 at all.

Tom