Assurance

["Cantor, Scott" <>]

On 11/30/12 1:10 PM, "Jones, Mark B" 
<>
 wrote:

>If the RP cares that authenticated users are "the appropriate people"
>then I think that identity proofing matters.

I mispoke. The RP doesn't care that they are appropriate, the owner of the
resources does (and that's not the RP). Therefore it isn't something the
RP cares about capturing or qualifying.

>The fact that the RP does not care who the authenticated user is "in the
>real world" is not relevant.

Yes, it is.

>An LoA 4 authentication can be anonymous and still carry a high assurance
>that the 'appropriate person' is on the other end of the transaction.

Yes, but if the RP doesn't care that that is in fact the case, it's not a
matter for the RP to worry about, and therefore need not be a requirement
of the assurance profile in place.

To be concrete in the case of the federation manager, the resources in the
system are essentially "owned" by the executive contact. That contact
designates the identifiers of the accounts that he/she wants to grant
access to. It is a matter for that contact to address what his or her
requirements are around proofing within their own organization.

It is not accurate to say that proofing is delegated so much as none of
the RP's concern. Therefore, the assurance notion that the RP is asking
for does not touch on proofing.

-- Scott