Assurance

["Jokl, James A. (Jim) (jaj)" <>]

+1

I made it to many of the calls and always had the self-asserted picture in my 
mind as the basic perspective -- that this was about passwords no longer 
being adequate and what is the new baseline authentication.  I still think of 
this stuff as "Standard Assurance" - good for whatever applications you used 
to just use and ID/Password for - but I get Scott's point too about the name.

Note that this work took a nice low bar on the technical side - almost 
anything that you can call a second factor is acceptable -- and there is no 
discussion about identity proofing.    All good for self-asserted, perhaps 
less so if people were thinking differently.

Jim

-----Original Message-----
From: 

 
[mailto:]
 On Behalf Of Cantor, Scott
Sent: Wednesday, May 4, 2016 9:48 AM
To: 

Subject: RE: [Assurance] comments on draft MFA Interop WG documents

> I hope we don't need to require an addendum for MFA...
> 
> I think the intent was for self-assertion.

I won't speak for the WG, but while working on the material, I had been 
operating under the assumption this was not an assurance category at all but 
a self-asserted AuthnContextClassRef (in SAML terms), just like many others 
defined in SAML already. Thus the idea of a self-asserted category to go with 
a self-asserted AuthnContext seemed redundant (but that may prove not to be 
the case for other reasons).

I didn't actually notice the naming convention in the URI included the word 
assurance, and tend to think that may be confusing as a result and worth 
reconsidering before this finalizes. Sometimes the obvious doesn't hit you 
when you're staring at it closely.

-- Scott