Assurance

["Jones, Mark B" <>]

If the RP cares that authenticated users are "the appropriate people" then I 
think that identity proofing matters.
Identity proofing during registration and credential issuance to establish 
the LoA of the authentication credential has nothing to do with any attribute 
that might or might not be released to a RP.  The fact that the RP does not 
care who the authenticated user is "in the real world" is not relevant.  An 
LoA 4 authentication can be anonymous and still carry a high assurance that 
the 'appropriate person' is on the other end of the transaction.  On the 
other hand, if you hand out cryptographic hard tokens to anyone that asks for 
them with no identity proofing you have very strong authentication but no 
idea who is controlling the credential.



-----Original Message-----
From: 

 
[mailto:]
 On Behalf Of Cantor, Scott
Sent: Friday, November 30, 2012 10:23 AM
To: 

Subject: Re: [Assurance] silver, 2-factor, password requirements

On 11/30/12 11:11 AM, "Jones, Mark B" 
<>
 wrote:

>Tom,
>Are you contradicting Tom and saying that identity proofing is in fact 
>required?

No, he's saying that isn't a property of the information being communicated 
to the RP. All the RP cares about is that "the people who can login with an 
assertion containing the identifiers A, B, or C are the appropriate people. 
It cares nothing about who those people are in the real world.

It is a decision of the asserting party how and whether to associate those 
accounts with specific people and how it would go chase them down if they did 
something bad. All the liability is with the IdP.

This is a common model whenever the resources involved at the RP are really 
not owned by the RP, but are owned by the IdP. That's what Tom referred to as 
SaaS.

-- Scott