Subscribe in a RSS reader • Subscribe via Email
As you may know, I’ve recently set up the Privacy and Public Policy Work Group (P3WG) for the Kantara Initiative, and as we start mapping out the areas in which the Group wants to exercise an influence, one topic has generated more discussion than anything else on the mailing list. It goes by the rather uninformative name of “LOA”, or Level of Assurance. Even if you’ve never heard of LOAs, they have played a major part in your life online and off.
I’ve blogged before about what I call the “Chain of Trust” – namely, the sequence of events all of which need to be working if a credential is to work properly when you present it. In other words, for instance, if you apply for a passport in the name of Michael Mouse and the passport office doesn’t bother to check whether there’s any evidence that that is your name, the resulting passport won’t be that reliable as an indicator of your identity (even though people may assume that it is). Similarly, driving licences would not be much use as an indicator of which vehicles you’re entiteld to drive, if it was possible for you to alter what the licence says… and if you tell someone the PIN of your ATM card, it is no longer effective as a way to ensure that only you can take money out of your account (in fact, the bank is likely to take it as de facto evidence that you must have been responsible for the transaction, even if it wasn’t you who actually used the card and PIN…).
These are just three examples of the many ways in which the Chain of Trust can fail, at the Registration/Verification phase, over the life of the credential, and at the authentication step, respectively. There are many other points at which the Chain can be compromised and the reliability of the credential (or the assertions made using it) undermined.
LOA is about protecting the first of these – the point at which someone decides whether or not to issue a credential which represents you in some way. In other words, if you can present a relying party with not just a credential, but a ‘score’ which indicates how reliably that credential was issued to you, can judge whether it’s more likely that you are actually Michael Mouse, or that whoever gave you a passport saying so was not doing their job very well.
That, in turn, will give them useful information about what decisions to make next, particularly if they decide that the answer to your authentication question is “yes”.
The UK and US governments both have relatively simple 4-level LOA models (though, inconveniently, one runs from 0-3 and the other from 1-4…). Omitting the ‘index value’ for a moment, the four levels look remarkably similar. In fact, if I adopt a slightly different scale, just to paper over that difference, we might get something like this:
Rare
UK: no authentication of identity
US: little or no confidence in the asserted identity
Medium rare
UK: basic authentication
US: some confidence in the asserted identity
Medium
UK: greater level of assurance (e.g. credentials based on proof of identity to a third party)
US: high confidence in the asserted identity
Well done
UK: identification beyond reasonable doubt
US: very high confidence in the asserted identity
So far so good. However, when it comes to putting this simple model into practice, and because we’re talking about assurance here (and therefore judgement), a couple of different approaches emerge.
One is to give a technical specification of the kinds of authentication technology which should or must correspond to an implementation claiming to be at a given LOA level.
Another is to relate the LOA levels to levels of risk, and allow the implementer to work out how they think that risk is best mitigated.
You might think that a third, better solution would be to combine the two… define organisational risks in a way which allows them to be assessed against the four-level model, and then have a technical specification list which says: “if you face this level of risk and you want this level of assurance, you need technology such as ‘x’, implemented with the following governance measures.
Actually, I have a better idea… if you have opinions on this question (better still, if you have a good answer), come and sign up to the Kantara P3WG and join the discussion. We’d love to hear from you.
Sorry, I just don’t get Levels of Assurance. I don’t think there can ever be sufficient precision (relating to actual risks) to enable a generic description of LOAs to be much use in practice.
Ref. http://kantarainitiative.org/confluence/display/certification/Identity+Assurance+Certification+Program
I’m particularly concerned that generic identity proofing is all relative. The new framework specifies a sliding scale:
AL1 “Minimal criteria – Self assertion”
AL2 “Moderate criteria – Attestation of Govt ID”
AL3 “Stringent criteria – stronger attestation and verification of records”
AL4 “More stringent criteria – stronger attestation and verification”
Look at one of the examples of AL4: to establish the ability for someone to dispense controlled drugs. It is not enough to merely prove their identity with “More stringent criteria – stronger attestation and verification”. You need to specifically check their medical qualifications.
So “more stringent” id proofing is not sufficient to authorise someone to prescribe drugs. Moreover, it’s not even a necessary condition! What I mean by that is that until recently, I don’t think medical bodies were consciously applying criteria like “stronger attestation and verification” when they credential doctors. Rather, they applied carefully constructed local criteria and business rules (like university results, licensing requirements, medical board memberships, professional standing etc).
In fact, I cannot think of any real world case (outside the military and government security circles) where we deal with strangers on the basis of a generic “level” of identity. Rather, we deal with people on a binary basis: are they authorised or not to transact on a certain domain according to a set of rules meaningful on that domain? For instance:
- Is the person a qualified medical professional?
- Is the person a qualified medical professional and board certified cardiologist?
- Is the person not only a board certified cardiologist but are they specifically employed by this hospital?
- Is the person a certified tax accountant?
- Is the person employed by ACME Inc.?
- Is the person specifically a purchasing officer of ACME Inc.?
- Is the person a student at the University of Sydney?
- Does the person have an insurance policy at Most Excellent HMO Inc.?
For each of these examples, there will be a set of established business rules that codify how the person gets credentialed, who recognises the credential, what the credential entitles them to do, and what the risk and liability arrangements are. These characteristics are what constitute the much derided “silos” in IDAM, but experience proves that you cannot modify silos without incurring great indirect costs.
I have a theory about this: I think the focus on Levels of Assurance is an artefact of orthodox PKI where we spent a great deal of effort on two pursuits: (1) a universal, multi-domain, all-purpose digital certificate that would confer “trust” online, and (2) cross certification, namely an attempt to establish that credentials held by strangers Alice and Bob are equivalent.
The notion that one person’s LOA is equal to or higher than that of another can be traced to Security Classifications. In government security, it does make sense that Bob with SECRET clearance can send a marked document to ALICE because she has TOP SECRET. But in most other business domains, counter parties to a transaction are either qualified or they are not.
What’s the point of codifying generic Levels of Assurance? I think the main objective has been to enable cross recognition, and I have to say that that effort has been something of a wild goose chase. The US Federal Bridge CA remains problematic and burdensome. In other parts of the world, PKI jurisdictions have tried to avoid Bridge CAs. See http://www.lockstep.com.au/partners/asia_pki_forum/oasis_apkif_trip_report_sep05.pdf We should heed and abstract from these experiences when trying to design generic identity proofing principles.
If interoperability is the goal of establishing LOAs then I suggest that we re-visit how interoperability works. Here are two one page papers on the topic. While they are PKI-focused, there are lessons for digital identities more generally:
http://www.lockstep.com.au/library/babysteps/babystep_5_pki_interoperabili.pdf
http://lockstep.com.au/library/babysteps/babystep_8_a_critical_look_at.pdf
I have reached the conclusion that if someone wants to operate in four or five different domains, then it’s probably easier and less costly to manage four or five different identities, each valid on one domain, than it is to try and establish a single general purpose identity that “interoperates” across all domains. Calculating the Total Cost of Ownership of multi-domain identities has to include the cost of analysing and managing elevated risks when we break open old established silos and change the fundamental ways in which people deal with each other.
Cheers,
Stephen Wilson, Lockstep
http://www.lockstep.com.au.