Subject Re: draft charge, refeds working group on attribute release
From David Chadwick <d.w.chadwick@xxxxxxxxxx>
Date Mon, 04 Jul 2011 17:19:29 +0100

Hi Nicole

from your previous email, you seem to think that there is a difference
between LoA 1 and LoA 0, but there isnt. Zero does not exist in the NIST
scheme and 1 is equivalent to zero. Therefore if a university only
offers LoA 1 it is at the same assurance level that Facebook, Google,
OpenID etc. offer (until finer granularity is added to the scheme, which
I have been arguing for for ages, but we are not there yet).

I am arguing that universities ought to be able to do better than zero
assurance, in order to add more value to their assertions, and I believe
that the majority of the UK IdPs already do. Therefore the bar ought to
be raised to this level for all IdPs. This level is level 2, and it is
not as onerous as I think you think it is.



On 04/07/2011 17:05, Nicole Harris wrote:

i think that was exactly what i was arguing for.  David was arguing
in favour of raising the bar to ONLY allow institutions that can do
LOA2 and above in to federations.  i'm arguing that we have to
provide both low level and high level assurance to meet all the
requirements of our community.  Perhaps I'm coming out too strongly
in favour of the small organisations rather than e-science, but they
need someone to argue for them.

I also think you may have missed a strong dose of english sarcasm ;-)
I actually meant the exact opposite, it is highly unlikely that a
service with that many members is offering something that is so out
of tune with its user's needs as David suggest.  Sorry, i should know
the danger of being too colloquial on a multi-lingual list.


On 4 Jul 2011, at 16:23, Licia Florio wrote:

Hi Nicole,

However, if our 864 members want to go and procure services
elsewhere that is absolutely fine by us. It would free up service
money to be spent elsewhere.  The JISC Portfolio review process
is there to make sure we only offer people the services they
want. If there is service level demand for your service, I'm sure
it will be considered via the same channels.

Maybe this would be JISC's position (assuming you are now talking
for JISC), but I'm not sure all NRENs would have an equal casual
approach if all their members would start getting their services
elsewhere ;)

I agree that you want to start offering services that satisfy the
majority of the users, but I think NRENs should try and address
the requirements of all their user-groups. It may not be possible
to offer services to all user-groups (maybe it turns out that some
groups can be better served elsewhere), but I would rather see this
statement as a conclusion than as a starting point.

cheers, Licia


David W. Chadwick, BSc PhD
Professor of Information Systems Security
School of Computing, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick@xxxxxxxxxx
Home Page:
Research Web site:
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5