[Wg-p3] US and UK IA/LoA approaches
georgia-marsh at sbcglobal.net
Tue Aug 18 12:48:56 PDT 2009
In the US, M04-04 and NIST 800-63 are foundational IDM documents used
together to determine risk and then to ascertain what technology (ies) and
vetting is (are) necessary to mitigate the risk. The OMB doc is more SP/RP
based in that it's instructing the SP/RP on risk and specific assurance
levels. Several years ago federal agencies were mandated by OMB to conduct
"risk assessments" on all their external facing web applications. The NIST
document is all about technical requirements because that's what they do-
write the specs....
From: wg-p3-bounces at kantarainitiative.org
[mailto:wg-p3-bounces at kantarainitiative.org] On Behalf Of Robin Wilton
Sent: Tuesday, August 18, 2009 2:21 PM
To: Paul Madsen
Cc: Kantara P3WG
Subject: Re: [Wg-p3] US and UK IA/LoA approaches
Hi Paul -
I'm sure it's not unique to the UK... but I think you're right that the
combination of the 'technical standard' approach plus the 'risk assessment'
guidance is more effective than either of the parts separately.
On Tue, 18 Aug 2009 14:31 -0400, "Paul Madsen" <paulmadsen at rogers.com>
Hi Robin, wrt the US/UK distinction, does not the combination of OMB
m04-04 & NIST 800 63 provide the model that you suggest is unique to the UK
Director, Future Identity
Director of Privacy and Public Policy, Liberty Alliance
+44 (0)705 005 2931
Structured consulting on digital identity, privacy and public policy
Future Identity is a limited company number 6777002, registered in England &
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Wg-p3