Assurance

["Cantor, Scott" <>]

On 11/30/12 3:18 PM, "Jones, Mark B" 
<>
 wrote:

>Ok... so if InCommon bears no risk why bother with a risk assessment?
>And how did the result come out to be 'moderate'?

There's legal risk and there's reputational risk.


I believe the assessment was done with respect to the question of whether
to strengthen the authentication process for the directly issued accounts,
but with an eye on how it would impact the plan for doing delegated access
by federated accounts, but Tom is better able to answer that.

>If there are two sets of accounts, which set have we been talking about?

I think the directly issued ones primarily.

>I agree that passwords are hopeless.  But if you don't care who is
>authenticating then why care if they are using passwords?

Because I might care that the ability to authenticate as a given
*identifier* is suitably protected. The binding back to a physical person
might be irrelevant *to the RP*. It is very relevant to the organization
that provisioned the identifier, but the RP needs no explicit statement to
that effect that such a binding was done in any particular way.

To be honest, I think it's 800-63's desire to tie these concepts together
that is flawed. You may find it inutitive and obvious, but I find it very
clumsy and ineffective.

-- Scott