assurance - RE: [Assurance] Bronze password reset
Subject: Assurance
List archive
- From: Eric Goodman <>
- To: "" <>
- Subject: RE: [Assurance] Bronze password reset
- Date: Tue, 13 Jan 2015 17:59:40 +0000
- Accept-language: en-US
Sorry, dropped off the thread for a vacation day!
>But none of that is codified in Bronze. I guess the real underlying
>question is whether it's enough to just say "reasonable care". I
>suspect that's in keeping with the idea of an unaudited assurance level.
As is frequently the case, Scott is able to sum up in a few short sentences
what takes me several paragraphs. :)
My sense is that we all presume that IdPs are all using some form of
"reasonable care", regardless of the assertion of a bronze IAQ. Otherwise I
don't see how we'd do federation at all.
However, the "reasonable care" statement is in section 3, not the "criteria"
section of the IAP. As I read it that means that compliance does not need to
measure "reasonable care" specifically. This is why I'm uncomfortable with
David and Nick's interpretation that "anything that protects PII at risk is
okay"; if they are correct, then I still don't see that "reasonable care"
language applies in any meaningful way. I don't think you can argue both "you
can do anything" (because of the layout of the literal requirements language
in 4.2.2) and "you are required to use 'reasonable care'" (because of some
general background statements in 3.1). If the intent is to use "reasonable
care" as the actual standard, then I think the Bronze IAP should be updated
so the criteria state that specifically.
My suggestion that alternative means could be used was to both allow
codification of what's actually being done (the way the IAP tries to) and to
allow application of the "reasonable care" standard against those things
being done (since an alternative means would be evaluated in the context of
the IAP as a whole, not just the individual criteria). [Before hitting send,
I saw David's email suggesting maybe we should collect these methods
independent of whether the IAP requires them as formal alternative means, so
this is probably a +1 to that suggestion].
I'd love to hear what the authors of the IAP actually intended here [beyond
David, I guess :) ], though I recognize that "original intent" may not
actually carry much weight anymore.
Thanks everyone, the input - even while not all in agreement - is helpful!
--- Eric
- Re: [Assurance] Bronze password reset, (continued)
- Re: [Assurance] Bronze password reset, Eric Goodman, 01/09/2015
- RE: [Assurance] Bronze password reset, Michael W. Brogan, 01/10/2015
- RE: [Assurance] Bronze password reset, Capehart,Jeffrey D, 01/12/2015
- RE: [Assurance] Bronze password reset, Cantor, Scott, 01/12/2015
- Re: [Assurance] Bronze password reset, David Walker, 01/12/2015
- RE: [Assurance] Bronze password reset, Jones, Mark B, 01/12/2015
- RE: [Assurance] Bronze password reset, Cantor, Scott, 01/12/2015
- Re: [Assurance] Bronze password reset, David Walker, 01/12/2015
- RE: [Assurance] Bronze password reset, Jones, Mark B, 01/13/2015
- Re: [Assurance] Bronze password reset, David Walker, 01/13/2015
- Re: [Assurance] Bronze password reset, David Walker, 01/12/2015
- RE: [Assurance] Bronze password reset, Cantor, Scott, 01/12/2015
- RE: [Assurance] Bronze password reset, Capehart,Jeffrey D, 01/12/2015
- RE: [Assurance] Bronze password reset, Eric Goodman, 01/13/2015
- RE: [Assurance] Bronze password reset, Michael W. Brogan, 01/10/2015
- Re: [Assurance] Bronze password reset, Eric Goodman, 01/09/2015
Archive powered by MHonArc 2.6.16.