Subject Re: draft charge, refeds working group on attribute release
From Nicole Harris <nicole.harris@xxxxxxxxxxxxxxxxx>
Date Mon, 4 Jul 2011 21:08:01 +0100

Thanks Peter, I concur. 

We currently have a trust framework at a level that SPs do place more trust in than the average facebook ID - this is why someone like an academic publisher is willing to accept an assertion from King's College that I am a member, but wouldn't accept my facebook ID if I chose to assert that I am a member of KCL.  We don't have a neat way of declaring that which is as easy as 'LOA1' or 'LOA2' to whatever definition is being used. 

I'm really hopeful that we can start a conversation around the LEGO project that will get us closer to that.  It will also be interesting to link this through to PEER - what is the different assurance between 'I've registered my metadata in PEER' and 'I am a member of an academic federation and they are publishing my metadata', for example. 

Getting back to Steven's charge, I still think there is a huge amount of work we can do in the here and now just to allow members to effectively release more attributes in a secure and trusted manner without introduced 'increased' LOA, whatever that means.  

On 4 Jul 2011, at 20:09, Peter Schober wrote:

> * David Chadwick <d.w.chadwick@xxxxxxxxxx> [2011-07-04 18:20]:
>> I am arguing that universities ought to be able to do better than
>> zero assurance, in order to add more value to their assertions, and
>> I believe that the majority of the UK IdPs already do. Therefore the
>> bar ought to be raised to this level for all IdPs. This level is
>> level 2, and it is not as onerous as I think you think it is.
> I agree with Nicole (most institutions are not at LoA2 currently --
> read on for why -- that's a simple fact, so we cannot *require* LoA2
> for general federation membership. Only optional assurance profiles --
> to use the SWAMID 2.0 federation policy terminology -- should mandata
> specific levels).
> I also agree with David in thinking that probably all institutions in
> probably all federations do in fact have processes in place which put
> them *way* above self-asserted identity social IDPs currently deal in.
> *But* -- they're not proven/audited against an agreed upon set of
> criteria, such as the Kantara framework.
> I really do believe we're (current IdPs of current federations) all
> offering a much higher LoA than what's available from social id
> providers -- which exactly why we are in fact providing value already,
> as Nicole points out. We're just not able to prove it to others
> outside our cultural background (vertical sector, if your prefer).
> Because:
> a. It's expensive. The status quo seems to be good enough for many
>   things, so there's little incentive to invest for other cases.
> b. There's not enough experience, documentation, recommendations,
>   agreement on how to do this. NIST SP 800-63 for the whole world?
>   Many don't agree with that (e.g. our national government, who
>   rolled their own, inspired by 800-63, but incompatible).
> -peter