MFA Interop Working Group

[Eric Goodman <>]

This is context from my point of view on why they didn’t see the need. It shouldn’t affect anyone’s thinking on what should be done, more background as I recall it on how the decisions got made.

 

 

I think part of the reason for the MFA-only response is that the REFEDS Assurance Framework[1] defined different authentication levels than we did. Our MFA Profile was *mostly* in line with the MFA requirement that was already in their framework, but our “basic” profile didn’t map to anything they had. REFEDS largely considered the MFA profile in the context of a that assurance profile, and so defining an “unboundedly bad authentication event” was less compelling than defining profiles that mapped to their actual levels (“good-entropy” is their lowest level value).

 

Perhaps also relevant: when the MFA Profile discussion went forward, the REFEDS framework had planned to communicate authentication event information via attributes; e.g., “eduPersonAssurance=REFEDS_IAP/authn/mfa” to say that MFA was done (rather than AuthnContext). So much of their discussion was around how to communicate authentication information at all, and wasn’t MFA/basic specific.

 

They don’t seem specifically opposed to seeing additional profiles defined long term[2], but given the context in which much of the discussion took place they aren’t convinced of the need for “Basic”.

 

--- Eric

 

[1] https://docs.google.com/document/d/15v65wJvRwTSQKViep_gGuEvxLl3UJbaOX5o9eLtsyBI/edit

[2] if Nick is up early enough to join their calls, he probably knows more about their thinking on this than I do

 

 

From: [] On Behalf Of Nick Roy
Sent: Tuesday, February 28, 2017 2:41 PM
To:
Subject: Re: [MFA-Interop] FW: [refeds] Consultation: REFEDS MFA Profile

 

I don't think people in the REFEDS assurance group grokked what it was there for, and when it was discussed, they felt it wasn't needed.  It's been a long time, I don't recall the specifics.  I'm guessing Nicole remembers.

Nick

On 2/28/17 3:39 PM, David Walker wrote:

Yeah, I wondered about that.  How do the rest of you feel about that?

Nick, do you have any insight as to why it was left out?

David

 

On 02/28/2017 01:39 PM, Nick Roy wrote:

If you feel that the omission of the default context is problematic, please do speak up on this consultation.

Thanks,

Nick

On 2/28/17 2:31 PM, Eric Goodman wrote:

For those of you not separately following on the various REFEDS lists.

 

This is REFEDS (modified) version of our proposed MFA Profile.

 

--- Eric

 

From: []
Sent: Tuesday, February 28, 2017 2:26 AM
To: ;
Subject: [refeds] Consultation: REFEDS MFA Profile

 

Dear All

A consultation on the proposed REFEDS Multi-factor Authentication Profile has opened today.  Full details of the consultation and the text to be reviewed are available at: https://wiki.refeds.org/display/CON/Consultation%3A+REFEDS+MFA+Profile. 

The consultation will close at 17:00 CEST on 27th March 2017.  All comments and discussions on the proposal should be made to the list: .   Comments may be made to the list, added to the change log on the wiki or sent directly to Nicole: .  Comments submitted through other channels will not be considered as part of the consultation. 

As usual, if you have any comments or queries please do let me know.  With many thanks the InCommon, the GÉANT Project and the REFEDS assurance working group for their efforts on this profile to date. 

Best wishes

Nicole

--

Nicole Harris

PROJECT Development Officer

GÉANT - Amsterdam office

T: +31 (0) 20 530 4488

M: +31 (0) 646 105396

Skype: harrisnv

PGP key Fingerprint: FD61 E288 14C7 432E 7AF5 D3B1 FB5B 8024 1BFD 94BB

 

Networks • Services • People

Learn more at www.geant.org

 

GÉANT is the collective trading name of the GÉANT Association in Amsterdam, NL, and of GEANT Limited in Cambridge, UK.

 

The GÉANT Association is a non-profit organisation registered under Dutch law through the Chamber of Commerce in Amsterdam, registration number 40535155.