Assurance

["Jones, Mark B" <>]

So is your argument that the data managed in Federation Manager is not owned 
by InCommon and thus InCommon bares none of the risk?  And because of this, 
are you saying that the member organizations can analyze their own risk in 
isolation and decide for themselves what procedure to use to issue 
credentials to their administrators and thus what LoA that credential meets?  
Doesn't this mean that the Federation Manager shouldn't care how 
administrators authenticate?

If InCommon doesn't care who is authenticating that sounds like Bronze to me.

I don't think you can separate Identity Proofing from Assurance.  You can say 
that there is no identity proofing but that must lower the assurance 
accordingly.


-----Original Message-----
From: 

 
[mailto:]
 On Behalf Of Cantor, Scott
Sent: Friday, November 30, 2012 12:41 PM
To: 

Subject: Re: [Assurance] silver, 2-factor, password requirements

On 11/30/12 1:10 PM, "Jones, Mark B" 
<>
 wrote:

>If the RP cares that authenticated users are "the appropriate people"
>then I think that identity proofing matters.

I mispoke. The RP doesn't care that they are appropriate, the owner of the 
resources does (and that's not the RP). Therefore it isn't something the RP 
cares about capturing or qualifying.

>The fact that the RP does not care who the authenticated user is "in 
>the real world" is not relevant.

Yes, it is.

>An LoA 4 authentication can be anonymous and still carry a high 
>assurance that the 'appropriate person' is on the other end of the 
>transaction.

Yes, but if the RP doesn't care that that is in fact the case, it's not a 
matter for the RP to worry about, and therefore need not be a requirement of 
the assurance profile in place.

To be concrete in the case of the federation manager, the resources in the 
system are essentially "owned" by the executive contact. That contact 
designates the identifiers of the accounts that he/she wants to grant access 
to. It is a matter for that contact to address what his or her requirements 
are around proofing within their own organization.

It is not accurate to say that proofing is delegated so much as none of the 
RP's concern. Therefore, the assurance notion that the RP is asking for does 
not touch on proofing.

-- Scott