[Wg-p3] Conference call reminder: Thursday 20th August

Nicole Harris n.harris at jisc.ac.uk
Tue Aug 18 04:34:14 PDT 2009

i think the differences between the NIST approach and the UK Cabinet 
approach is interesting and highlight the problems of identifying what 
we mean by a level of assurance 'scheme'.   The NIST / OMB focuses more 
on the detail of the technical requirements and the UK Cabinet Office 
more on risk assessment.  I guess you could argue that the NIST approach 
is more focused on instructing the IdP on what it needs to implement 
technically, whilst the UK approach may be more useful in instructing an 
SP on what sort of risk issues it should be looking at before looking at 
setting an assurance level. 

Overall, assurance levels have to be implementable so the basic point 
has to be what does the IdP and the SP need to know about an assurance 
level to be able to successfully implement, assert, consume and trust 
that assurance level.  I quite like the Liberty Alliance Framework 
approach as it does go through a variety of headings that need to be in 
place in each scenario - and these seem imminently sensible.  Finally, 
we have to add in to the mix the concept of an assurance programme for 
specific environments like access management Federations, which set out 
very clearly for participants the steps they need to go through to 
achieve certain levels of assurance, including details of audit etc. etc. 

What I would like to see is an assurance programme that would work 
across all education and research federations effectively as a complete 
programme but that clearly defined assurance statements that could be 
recognised and consumed in other environments...such as within the UK 
Government Gateway or within interactions with the NHS etc. etc. 

Bob Pinheiro wrote:
> I think there are several issues that need to be resolved (not 
> necessarily on this call) as the various WGs push forward with their work:
> 1.  The discussion of Levels of Assurance on the P3W list mixes up two 
> schemes for defining LoA: the NIST 800-63 / OMB04-04 scheme which uses 
> LoA 1 - 4, and which was adapted by Kantara in defining its Identity 
> Assurance Framework, and the British scheme defined in the UK Cabinet 
> Office document "Identity Risk Management for e-Government Services", 
> which uses LoA 0-3.  Although these two schemes are roughly 
> equivalent, they are not exactly the same in terms of identity 
> proofing requirements, types of credentials required at the various 
> LoAs, etc..  So I think some decision needs to be made as to how to 
> deal with this situation.  In further discussions involving LoA, is 
> reference being made to the NIST/Kantara IAF scheme or the UK 
> scheme?    Do we feel that a new LoA scheme is needed which somehow 
> combines the two, or otherwise incorporates changes the WG believes 
> are necessary?  Do we need to evaluate and better understand the 
> differences between the two schemes before deciding how to answer 
> these questions?
> 2.  One of the topics that is coming up in the email discussions is 
> the appropriate LoAs for consumer-related applications.  In the 
> Consumer Identity WG, a working assumption is that the types of 
> consumer identity issues that are of most importance, and that the WG 
> should be dealing with, come into play at "high assurance" levels, or 
> at NIST LoA 3.  Although there is not that much difference between 
> NIST LoAs 2 and 3 in terms of how identity proofing is done (the main 
> differences have to do with how the supporting identity 
> information/documentation is verified), there is a big difference in 
> terms of identity credentialing required.  At NIST LoA 2, a password 
> alone is sufficient for authentication to an identity provider, 
> whereas at NIST LoA 3, the IAF requires authentication based on either 
> a one-time password or a cryptographic key.  Too often consumer 
> applications (in the US) are considered to be at NIST LoA 2, which 
> absolves the relying parties of having to deal with the fact that 
> consumers generally do not have authentication tokens appropriate for 
> NIST LoA 3 (that is, OTP generators or crypto keys).  One of the 
> challenges for us (at least IMO), and for the Consumer Identity WG in 
> particular, is how we can create an identity ecosystem that enables 
> consumers to authenticate themselves using high assurance identity 
> tokens (ie, OTP generators or crypto keys).  This may be different in 
> the UK and other parts of the world, so addressing these differences 
> in an organization such as Kantara will be a challenge.
> 3.  Regarding the user interface issue and the use of OpenID at the 
> higher assurance levels, there is a perception that OpenId is 
> inappropriate at these higher assurance levels.  In the case where an 
> identity assertion is required from an OpenID identity provider that 
> asserts something about the consumer's identity, this may indeed be 
> true.  However, there are other cases where the relying party doesn't 
> need to actually establish the consumer's identity each time the 
> consumer accesses some high-value online resource, but instead what is 
> required is to authenticate that the person seeking access is the same 
> person who initially enrolled.  For instance, when logging into an 
> online banking service, what's needed is to verify that the person 
> seeking access is the person who initially enrolled (whose identity 
> was presumably verified at that time).  So in that case, OpenID may be 
> appropriate, as long as the OpenID is bound to the account during 
> enrollment, and subsequent authentication using the OpenID is based on 
> something stronger than a password (ie, a OTP or crypto key).  But 
> then there's the user interface issue.  Will consumers be confused if 
> OpenID is required for some situations, but other identity 
> technologies such as Information Cards are used in other cases?
> I've raised a number of points here that I think are also relevant to 
> other WGs such as the Identity Assurance WG, Consumer Identity WG, and 
> the (proposed) User Login Experience WG. 
> Bob
> ---------------------------
> Bob Pinheiro
> Chair, Consumer Identity WG
> 908-654-1939
> kantara at bobpinheiro.com
> www.bobpinheiro.com
> Robin Wilton wrote:
>> Greetings -
>> A quick reminder that we have our next conf-call coming up on 
>> Thursday Aug 20th, at 16:00 BST (08:00 PST, 11:00 EST, 17:00 CET). 
>> Can I request that a P3WG member of the Japan WG/DG please contact me 
>> by email, so that we can plan for a possible sync-up or liaison 
>> session in Las Vegas?
>> Here are the dial-in numbers, which you can also find via the P3WG 
>> home page, here 
>> <http://kantarainitiative.org/confluence/display/p3wg/Home>.
>>     * US/Canada toll-free number:  1.866.305.1460
>>     * Direct dial (toll) number: +1.416.620.1296
>>     * Attendee Code: 9247530
>>     * International toll-free numbers:
>>           o UK: 0800 917 5847
>>           o Netherlands: 08002659007
>>           o Belgium: 080079491
>>           o Japan: 00531160345
>> Draft agenda (suggestions/contributions welcome):
>> 1 - Re-cap of 10th August meeting at GSA (Washington DC) on US plans 
>> for C2G authentication;
>> 2 - Matters arising from (1); P3WG and authentication policy in a 
>> multi-LoA environment. It's clear that this is a complex topic, but 
>> also that P3WG members have a lot of relevant expertise and detailed 
>> knowledge. I suggest we should look at what the group could to do 
>> define and produce something which sums up the problem area clearly 
>> and simply, and offers practical guidance to stakeholders. Our aim 
>> should be to produce something which reflects the perspectives of a 
>> broad range of stakeholders, and provides policymakers with 
>> appropriate input to their decision-making in this area.
>> I would like to reach a conclusion, by the end of the call, as to 
>> whether the Group wishes to define a work item here, and if so 
>> whether anyone would volunteer to draft a high-level work plan 
>> (scope, goals, description of deliverables) in time for the Las Vegas 
>> meetings.
>> 3 - Planning for the Kantara plenaries in Las Vegas: review the 
>> conference time-table and room allocation. Current agenda is visible 
>> online here 
>> <http://kantarainitiative.org/confluence/display/GI/Kantara+Initiative+Conferences>.
>> 4 - Nominations for Vice Chair and Secretary
>> 5 - Stand-in arrangements for September 3rd conference call (RW not 
>> available...).
>> I look forward to a productive call on Thursday.
>> With best wishes -
>> Robin
>> Robin Wilton
>> Director, Future Identity
>> Director of Privacy and Public Policy, Liberty Alliance
>> www.futureidentity.eu
>> +44 (0)705 005 2931
>> ====================================================================
>> Structured consulting on digital identity, privacy and public policy
>> ====================================================================
>> Future Identity is a limited company number 6777002, registered in England & Wales
>> ------------------------------------------------------------------------
>> _______________________________________________
>> Wg-p3 mailing list
>> Wg-p3 at kantarainitiative.org
>> http://kantarainitiative.org/mailman/listinfo/wg-p3_kantarainitiative.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kantarainitiative.org/pipermail/wg-p3_kantarainitiative.org/attachments/20090818/59a905e4/attachment-0001.html>

More information about the Wg-p3 mailing list