Subject Re: draft charge, refeds working group on attribute release
From John Bradley <ve7jtb@xxxxxxxxxx>
Date Mon, 4 Jul 2011 16:52:38 -0400

Part of the problem with LoA in the SP-800-63 sense, is that it is solely about binding identifiers to individuals.

In the real world knowing an attribute like this person is a member of KCL, may be more important to the SP than knowing that whoever is in possession of the credential showed their passport to someone at some point.

Assuming that the credential is strongly enough bound to the individual,  a issuer may be able to assert an attribute with a higher level of confidence that what might be described in a traditional LoA.

At this point I wouldn't presume that formal NIST LoA 2 is a hard requirement.

Especialy around attributes, what is appropriate outside of the government outsourcing context in SP-800-63 will be reevaluated as part of NSTIC.  

One thing that is not addressed well currently in the commercial sense internationally are the duties of the SP.

I do think that is one area that needs work before IdP feel confident in releasing attributes to SP they don't have direct relationships with.

John Bradley

On 2011-07-04, at 4:08 PM, Nicole Harris wrote:

> Thanks Peter, I concur. 
> We currently have a trust framework at a level that SPs do place more trust in than the average facebook ID - this is why someone like an academic publisher is willing to accept an assertion from King's College that I am a member, but wouldn't accept my facebook ID if I chose to assert that I am a member of KCL.  We don't have a neat way of declaring that which is as easy as 'LOA1' or 'LOA2' to whatever definition is being used. 
> I'm really hopeful that we can start a conversation around the LEGO project that will get us closer to that.  It will also be interesting to link this through to PEER - what is the different assurance between 'I've registered my metadata in PEER' and 'I am a member of an academic federation and they are publishing my metadata', for example. 
> Getting back to Steven's charge, I still think there is a huge amount of work we can do in the here and now just to allow members to effectively release more attributes in a secure and trusted manner without introduced 'increased' LOA, whatever that means.  
> On 4 Jul 2011, at 20:09, Peter Schober wrote:
>> * David Chadwick <d.w.chadwick@xxxxxxxxxx> [2011-07-04 18:20]:
>>> I am arguing that universities ought to be able to do better than
>>> zero assurance, in order to add more value to their assertions, and
>>> I believe that the majority of the UK IdPs already do. Therefore the
>>> bar ought to be raised to this level for all IdPs. This level is
>>> level 2, and it is not as onerous as I think you think it is.
>> I agree with Nicole (most institutions are not at LoA2 currently --
>> read on for why -- that's a simple fact, so we cannot *require* LoA2
>> for general federation membership. Only optional assurance profiles --
>> to use the SWAMID 2.0 federation policy terminology -- should mandata
>> specific levels).
>> I also agree with David in thinking that probably all institutions in
>> probably all federations do in fact have processes in place which put
>> them *way* above self-asserted identity social IDPs currently deal in.
>> *But* -- they're not proven/audited against an agreed upon set of
>> criteria, such as the Kantara framework.
>> I really do believe we're (current IdPs of current federations) all
>> offering a much higher LoA than what's available from social id
>> providers -- which exactly why we are in fact providing value already,
>> as Nicole points out. We're just not able to prove it to others
>> outside our cultural background (vertical sector, if your prefer).
>> Because:
>> a. It's expensive. The status quo seems to be good enough for many
>>  things, so there's little incentive to invest for other cases.
>> b. There's not enough experience, documentation, recommendations,
>>  agreement on how to do this. NIST SP 800-63 for the whole world?
>>  Many don't agree with that (e.g. our national government, who
>>  rolled their own, inspired by 800-63, but incompatible).
>> -peter