[Wg-p3] US and UK IA/LoA approaches

Georgia Marsh georgia-marsh at sbcglobal.net
Tue Aug 18 12:48:56 PDT 2009

In the US,  M04-04 and NIST 800-63 are foundational IDM documents  used
together to determine risk and then to ascertain what technology (ies) and
vetting  is (are) necessary to mitigate the risk. The OMB doc is more SP/RP
based  in that it's instructing the SP/RP on risk and specific assurance
levels. Several years ago  federal agencies were mandated by OMB to conduct
"risk assessments" on all their external facing web applications. The NIST
document is all about technical requirements because that's what they do-
write the specs....




From: wg-p3-bounces at kantarainitiative.org
[mailto:wg-p3-bounces at kantarainitiative.org] On Behalf Of Robin Wilton
Sent: Tuesday, August 18, 2009 2:21 PM
To: Paul Madsen
Cc: Kantara P3WG
Subject: Re: [Wg-p3] US and UK IA/LoA approaches


Hi Paul - 


I'm sure it's not unique to the UK... but I think you're right that the
combination of the 'technical standard' approach plus the 'risk assessment'
guidance is more effective than either of the parts separately.




On Tue, 18 Aug 2009 14:31 -0400, "Paul Madsen" <paulmadsen at rogers.com>

Hi Robin, wrt the US/UK distinction, does not the combination   of OMB
m04-04 & NIST 800 63 provide the model that you suggest is unique to the UK


Robin Wilton
Director, Future Identity
Director of Privacy and Public Policy, Liberty Alliance
+44 (0)705 005 2931
Structured consulting on digital identity, privacy and public policy
Future Identity is a limited company number 6777002, registered in England &
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kantarainitiative.org/pipermail/wg-p3_kantarainitiative.org/attachments/20090818/7dd7bc5a/attachment.html>

More information about the Wg-p3 mailing list