<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
John, I wouldnt characterize what you are describing (ie an OP being
able to issue both LOA1 & LO2 assertions) as 'step-down'.<br>
<br>
A 'step-up' scenario from LOA1 to LOA2 would be<br>
<br>
proofing2+authn1 -------- (when requested by an RP) -------->
proofing2+authn2<br>
<br>
as you cant (easily) proof real-time, the only variable for the
stepping up is the authentication mechanism.<br>
<br>
But what you are describing is the OP just being able to issue either
LOA1 or LOA2 as appropriate, given that the proofing supports both.<br>
<br>
Paul<br>
<br>
John Bradley wrote:
<blockquote cite="mid:81519F64-3882-4C00-BA63-3CD71D559B2A@ve7jtb.com"
type="cite">
<pre wrap="">OMB M-04-04 doesn't require non correlatable identifiers.
All LoA 1 identifiers are by definition pseudonymous because they are not identity proofed.
ICAM requires non-coralatable identifiers for privacy reasons that are outside of OMB-04-04 and SP-800-63.
A IMI info card can contain claims for LoA 1,2 and 3.
A openID can only be LoA 1 because it dosn't meet the requirements of LoA 2.
Once openID is suitable for LoA 2 and a IdP/OP is certified by a ICAM Trust framework provider, that IDP can step down a LoA 2 proofed account to make a LoA 1 assertion about it.
IdP can step down but not up.
John B.
On 2009-12-14, at 7:08 PM, RL 'Bob' Morgan wrote:
</pre>
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">The LoA1 in OMB M-04-04 is somewhat unique to other levels because it
requires Pseudonyms(PPIDs) and no personal identified information. Those
policies are defined separately from the LoA1 policy and used by IDPs to
generate response messages.
</pre>
</blockquote>
<pre wrap="">I am not sure what you mean by this. OMB 04-04 says that what it calls
"anonymous credentials" *may* be used with LoAs 1 and 2. The ICAM OpenID
profile says that PPIDs must be used, but also permits other personal
information to be requested by the RP and provided by the OP.
</pre>
<blockquote type="cite">
<pre wrap="">If IDPs provide support more than one levels, stipulating a desired LoA
makes sense but I haven't seen IDPs supporting multi-levels. RPs may be
responsible to manage WLs for each levels to find IDPs to provide
services they need.
</pre>
</blockquote>
<pre wrap="">We're expecting that the typical US higher-education IdP will support
multiple LoAs. It doesn't make sense to segregate populations into
separate IdPs by LoA. We're also expecting that RPs requiring LoA will
ask for the LoA they need, rather than having to configure IdPs to know
which RPs require what.
- RL "Bob"
_______________________________________________
DG-Concordia mailing list
<a class="moz-txt-link-abbreviated" href="mailto:DG-Concordia@kantarainitiative.org">DG-Concordia@kantarainitiative.org</a>
<a class="moz-txt-link-freetext" href="http://kantarainitiative.org/mailman/listinfo/dg-concordia">http://kantarainitiative.org/mailman/listinfo/dg-concordia</a>
</pre>
</blockquote>
<pre wrap=""><!---->
</pre>
<pre wrap="">
<hr size="4" width="90%">
_______________________________________________
DG-Concordia mailing list
<a class="moz-txt-link-abbreviated" href="mailto:DG-Concordia@kantarainitiative.org">DG-Concordia@kantarainitiative.org</a>
<a class="moz-txt-link-freetext" href="http://kantarainitiative.org/mailman/listinfo/dg-concordia">http://kantarainitiative.org/mailman/listinfo/dg-concordia</a>
</pre>
</blockquote>
</body>
</html>