Assurance

["Cantor, Scott" <>]

On 11/30/12 4:08 PM, "Jones, Mark B" 
<>
 wrote:

>I think it odd to care so much about strong authentication without caring
>about the identity of the user.  Why inconvenience the user with 2FA when
>you don't even care who they are?

I can't really seem to explain it to you, but that is not an accurate
characterization of what I said. But you have an absolutist concept of
identity that I can't wrap my mind around either, so we're equally unable
to communicate.

>Since you do not agree with 800-63 are there any other standards to
>consider?

I don't think 800-63 is an assurance standard at all. It's a discussion of
assurance and risk management concepts around authentication that some
people have misconstrued to be a literal assurance standard.

>Are we going to follow a standard or not?
>If we follow a standard, will that be 800-63 or something else?

It certainly isn't 800-63 for the above reason. I think Bronze and Silver
are overly derived from things in 800-63 for political reasons and I think
there will be other qualifiers defined that better match application
requirements.

-- Scott