Assurance

[Eric Goodman <>]

> What exactly do you mean by “full-on LoA support”?

 

I mean, at least for internal purposes that don't involve federating (or don't involve federating outside of the UC system).

 

> As far as formalized best practices, it is my opinion that what you are looking for is Bronze or anything else based on the 800-63

> LoA 1 specifications.  I’m not aware of any formal standard that would be an alternative to 800-63. 

 

I agree in principle. I was largely looking for the info Ann provided around what happens when the "things based on 800-63", "things 800-63 is based on" and 800-63 itself are out of sync.

 

Simple example: For resistance to online guessing, InCommon still uses criteria around the "odds of guessing the password" (the old 800-63 "chance of guessing is 2^-10/-14" language) whereas NIST and FICAM now use "minimum password entropy plus guess limiting" as standards for measuring resistance to online guessing attacks. There are other inconsistencies among the three documents (the third being the FICAM TPF doc I initially cited).

 

The differences are not huge, but where they are different, just wondering how much weight to give each version for planning purposes. I'm clear that for today's compliance, the actual requirement is the current InCommon IAP.

 

--- Eric