[Wg-idassurance] Achievable Assurance for ICAM Schemes

John, Anil Anil.John at jhuapl.edu
Thu Oct 1 10:12:15 PDT 2009 

The issue that arises, especially in the government arena, is that the notion of compensating controls as a mechanism that can bump up the LOA level of a credential is often a hard thing the convey, especially to folks who deal with certification and accreditation.

Regards,

- Anil

:-
:- Anil John (JHU/APL)
:- Currently mobile. Expect brevity.
:-

________________________________
From: wg-idassurance-bounces at kantarainitiative.org <wg-idassurance-bounces at kantarainitiative.org>
To: Brett McDowell <email at brettmcdowell.com>
Cc: wg-idassurance at kantarainitiative.org <wg-idassurance at kantarainitiative.org>
Sent: Thu Oct 01 13:05:58 2009
Subject: Re: [Wg-idassurance] Achievable Assurance for ICAM Schemes

yes I dropped the LOA4 row thinking of ICAM as the target.

Adding a LOA4 row might motivate adding other protocol/profile combinations, e.g. the SAML HoK profile which (arguably) can meet 4 (as the SSTC argued to NIST)

paul

p.s. I heard John arguing this point (i.e. some combinations of authn mech & protocol make sense from a LOA PoV, some dont) at lunch yesterday at the NIST/OASIS ID Trust workshop. At least I think that was what he was arguing, his mouth was full and he was mumbling  :-)

Brett McDowell wrote:

Agreed, good point.  So, are both worthy to work on?

BTW, what happened to AL=4 in the first matrix?  Is it dropped because
the ICAM program doesn't cover AL=4?  But since IAF does, perhaps IAWG
should add it back in for the sake of completeness.  Even if ICAM
wouldn't publish AL=4, the whole picture might be useful for KI to
publish.


Brett McDowell | http://info.brettmcdowell.com | http://kantarainitiative.org



On Thu, Oct 1, 2009 at 12:32 PM, John Bradley <jbradley at mac.com><mailto:jbradley at mac.com> wrote:


Agreed the two are different matrix.
John B.
On 2009-10-01, at 12:31 PM, Paul Madsen wrote:

I believe that's a different matrix

Once you know that a particular authn mechn tops out at LOA2 (for instance),
then you can determine which are the relevant federated protocols to pair
with

Brett McDowell wrote:

Interesting matrix Paul.  I'm wondering if some AuthN mechanisms wouldn't
make sense to add to such a matrix, e.g Arcot, OATH, SmartCard, etc.
Frank, isn't this an area of interest that you've noted for future IAWG
work?

Brett McDowell | http://info.brettmcdowell.com |
http://kantarainitiative.org


On Thu, Oct 1, 2009 at 12:21 PM, Paul Madsen <paulmadsen at rogers.com><mailto:paulmadsen at rogers.com> wrote:


With the recent ICAM OpenID & IMI profiles, as well as the SAML eGov
profile, (and plans for other schemes), it would seem useful if the 'Open
Identity Solutions for Open Government' site [1] listed the achievable LOA
for the different schemes.

eg.

Achievable Assurance for Schemes

            OpenID    SAML       IMI
LOA

1              y               y                  y
2              n               y                  y
3              n               y                  y

(where the protocol names above are short-hand for the relevant profiles)

We already have similar tables for all the other aspects that impact
assurance, e.g authn mechanisms etc

[1] - http://bit.ly/1w0gYM

Paul

--
Paul Madsen
e:paulmadsen @ ntt-at.com
m:613-282-8647
web:connectid.blogspot.com
<Mail Attachment.gif>
_______________________________________________
Wg-idassurance mailing list
Wg-idassurance at kantarainitiative.org<mailto:Wg-idassurance at kantarainitiative.org>

http://kantarainitiative.org/mailman/listinfo/wg-idassurance_kantarainitiative.org



________________________________

No virus found in this incoming message.
Checked by AVG - www.avg.com<http://www.avg.com>
Version: 8.5.409 / Virus Database: 270.14.1/2407 - Release Date: 10/01/09
06:34:00



--
Paul Madsen
e:paulmadsen @ ntt-at.com
m:613-282-8647
web:connectid.blogspot.com
<gMwy.1.gif>
_______________________________________________
Wg-idassurance mailing list
Wg-idassurance at kantarainitiative.org<mailto:Wg-idassurance at kantarainitiative.org>
http://kantarainitiative.org/mailman/listinfo/wg-idassurance_kantarainitiative.org



>



________________________________


No virus found in this incoming message.
Checked by AVG - www.avg.com<http://www.avg.com>
Version: 8.5.409 / Virus Database: 270.14.1/2407 - Release Date: 10/01/09 06:34:00



--
Paul Madsen
e:paulmadsen @ ntt-at.com
m:613-282-8647
web:connectid.blogspot.com
[cid:part1.05060505.07090507 at rogers.com]<http://feeds.feedburner.com/%7Er/blogspot/gMwy/%7E6/1>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kantarainitiative.org/pipermail/wg-idassurance_kantarainitiative.org/attachments/20091001/f0a0e6a3/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gMwy.1.gif
Type: image/gif
Size: 17613 bytes
Desc: gMwy.1.gif
URL: <http://kantarainitiative.org/pipermail/wg-idassurance_kantarainitiative.org/attachments/20091001/f0a0e6a3/attachment-0001.gif>

More information about the Wg-idassurance mailing list