Refeds


Subject Re: draft charge, refeds working group on attribute release
From Leif Johansson <leifj@xxxxxxxx>
Date Tue, 05 Jul 2011 15:02:46 +0200

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/05/2011 02:29 PM, David Chadwick wrote:
> Hi Leif
> 
> LOA1 is defined as little or no confidence. So in the worst case it is
> zero. And there is no way of differentiating between little and nothing
> since both get a score of 1.

No it is not. What gave you that idea?

> 
> Could you please enumerate these non-trivial requirements for no
> confidence? I know that passwords must not be sent in the clear, but I
> dont count this as non-trivial do you? (Its been an IETF requirement for
> over a decade).

Read Appendix A of SP 800-63 for background. Passwords a LoA1 must have
an entropy of 2**1024 over their lifetime. Also read Eric Sachs notes on
googles OIX LOA1 certification:
http://sites.google.com/site/oauthgoog/oixgsacert

	Cheers Leif
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk4TC3YACgkQ8Jx8FtbMZnee5QCglg1AXqlNMSE9n5LdIXlaMpDI
3x4AoLLL8x+hWHTTBMNriLrei/Nk5pgN
=uE8p
-----END PGP SIGNATURE-----