Subject Re: draft charge, refeds working group on attribute release
From Peter Schober <peter.schober@xxxxxxxxxxxx>
Date Mon, 4 Jul 2011 21:09:52 +0200

* David Chadwick <d.w.chadwick@xxxxxxxxxx> [2011-07-04 18:20]:
> I am arguing that universities ought to be able to do better than
> zero assurance, in order to add more value to their assertions, and
> I believe that the majority of the UK IdPs already do. Therefore the
> bar ought to be raised to this level for all IdPs. This level is
> level 2, and it is not as onerous as I think you think it is.

I agree with Nicole (most institutions are not at LoA2 currently --
read on for why -- that's a simple fact, so we cannot *require* LoA2
for general federation membership. Only optional assurance profiles --
to use the SWAMID 2.0 federation policy terminology -- should mandata
specific levels).
I also agree with David in thinking that probably all institutions in
probably all federations do in fact have processes in place which put
them *way* above self-asserted identity social IDPs currently deal in.
*But* -- they're not proven/audited against an agreed upon set of
criteria, such as the Kantara framework.

I really do believe we're (current IdPs of current federations) all
offering a much higher LoA than what's available from social id
providers -- which exactly why we are in fact providing value already,
as Nicole points out. We're just not able to prove it to others
outside our cultural background (vertical sector, if your prefer).

a. It's expensive. The status quo seems to be good enough for many
   things, so there's little incentive to invest for other cases.
b. There's not enough experience, documentation, recommendations,
   agreement on how to do this. NIST SP 800-63 for the whole world?
   Many don't agree with that (e.g. our national government, who
   rolled their own, inspired by 800-63, but incompatible).