Subject Re: draft charge, refeds working group on attribute release
From David Chadwick <d.w.chadwick@xxxxxxxxxx>
Date Tue, 05 Jul 2011 13:29:24 +0100

Hi Leif

LOA1 is defined as little or no confidence. So in the worst case it is zero. And there is no way of differentiating between little and nothing since both get a score of 1.

Could you please enumerate these non-trivial requirements for no confidence? I know that passwords must not be sent in the clear, but I dont count this as non-trivial do you? (Its been an IETF requirement for over a decade).



On 05/07/2011 08:50, Leif Johansson wrote:
Hash: SHA1

On 07/04/2011 06:19 PM, David Chadwick wrote:
Hi Nicole

from your previous email, you seem to think that there is a difference
between LoA 1 and LoA 0, but there isnt. Zero does not exist in the NIST
scheme and 1 is equivalent to zero. Therefore if a university only
offers LoA 1 it is at the same assurance level that Facebook, Google,
OpenID etc. offer (until finer granularity is added to the scheme, which
I have been arguing for for ages, but we are not there yet).

Not quite. NIST SP 800-63 doesn't specify "LoA0" but LoA1 is not zero
assurance. There are quite a few specific requirements in LoA1 that are
probably non-trivial to fulfill.

Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla -



David W. Chadwick, BSc PhD
Professor of Information Systems Security
School of Computing, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick@xxxxxxxxxx
Home Page:
Research Web site:
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5