Subject Re: draft charge, refeds working group on attribute release
From "RL 'Bob' Morgan" <rlmorgan@xxxxxxxxxxxxxx>
Date Tue, 5 Jul 2011 01:02:16 -0700 (PDT)

from your previous email, you seem to think that there is a difference
between LoA 1 and LoA 0, but there isnt. Zero does not exist in the NIST
scheme and 1 is equivalent to zero. Therefore if a university only
offers LoA 1 it is at the same assurance level that Facebook, Google,
OpenID etc. offer (until finer granularity is added to the scheme, which
I have been arguing for for ages, but we are not there yet).

Not quite. NIST SP 800-63 doesn't specify "LoA0" but LoA1 is not zero assurance. There are quite a few specific requirements in LoA1 that are probably non-trivial to fulfill.

Right, it's certainly possible to run an IdM system that doesn't even qualify for LoA1. Sending passwords in the clear on the wire is a #fail, for example. Such a system isn't "LoA0", it isn't anything. But then a system that hasn't been assessed and certified isn't anything either, regardless of its practices.

 - RL "Bob"