Skip to Content.
Sympa Menu

assurance - RE: [Assurance] comments on draft MFA Interop WG documents

Subject: Assurance

List archive

RE: [Assurance] comments on draft MFA Interop WG documents


Chronological Thread 
  • From: "Cantor, Scott" <>
  • To: "" <>
  • Subject: RE: [Assurance] comments on draft MFA Interop WG documents
  • Date: Tue, 10 May 2016 16:17:00 +0000
  • Accept-language: en-US
  • Authentication-results: spf=pass (sender IP is 164.107.81.218) smtp.mailfrom=osu.edu; incommon.org; dkim=none (message not signed) header.d=none;incommon.org; dmarc=bestguesspass action=none header.from=osu.edu;
  • Spamdiagnosticmetadata: NSPM
  • Spamdiagnosticoutput: 1:23
> >Can I ask why? What's the difference between self-asserting a category
> >and self-asserting the same data in an assertion?
>
> I think my answer is the same for Base Level, MFA, Silver, or Bronze. Our
> trust fabric is based on contractual agreements between InCommon LLC and
> its participants, and that trust is operationalized via the federation
> metadata. Knowing that an institutional representative made a declaration
> to InCommon (either via an Assurance Addendum or via a checkbox on the
> Federation Manager), subject to the Participation Agreement, gives me
> greater trust in the organization's compliance with an InCommon standard
> than I get from IdP-SP bidirectional communication alone.

For the record, my counter-argument is that the the IdP is generally under
the control of the same individual who would have to check that box, and who
already vouched for the key with which the assertion is signed, and so it
creates an extra step for that person. Multiplied across the federation, I
think that's a real cost.

-- Scott


Archive powered by MHonArc 2.6.16.

Top of Page