The fundamental that is important is that Level of Assurance applies at 2 abstractions. It is important that these two abstractions are recognized and independently managed:
- The Level of Assurance provided by the User Provisioning. That is how sure can we be that the identity represents the individual that it says that it represents.
- The Level of Assurance of the authenticated session. That is how sure can we be that the user logged on right now is the user that the identity represents.
In the world of PKI, the Level-Of-Assurance is defined by the Certificate Authority published document “Certificate Policy”. This is not very scaleable or reusable, so there is now an assignment to IANA to host a registry of Level-Of-Assurance policies. In this way there would be a registered URL that can be used as a Level-Of-Assurance vocabulary.
RFC-6711 - An IANA Registry for Level of Assurance (LoA) Profiles
This document establishes an IANA registry for Level of Assurance (LoA) Profiles. The registry is intended to be used as an aid to discovering such LoA definitions in protocols that use an LoA concept, including Security Assertion Markup Language (SAML) 2.0 and OpenID Connect.
Conclusion:
Don't expect that the NIST level-of-assurance model is executable and don't expect a standard to develop a simple vocabulary.
- Authentication and Level of Assurance
- Identity - - Proofing
- Direct addresses- Trusted vs Trustable
- The Emperor has no clothes - De-Identification and User Provisioning
- What User Authentication to use?
- IHE - Privacy and Security Profiles - Enterprise User Authentication
- IHE - Privacy and Security Profiles - Cross-Enterprise User Assertion
- Healthcare use of Identity Federation
- Federated ID is not a universal ID
- Separation of Layers: Security Error Codes
This comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDelete