Subject Re: draft charge, refeds working group on attribute release
From Rhys Smith <smith@xxxxxxxxxxxxx>
Date Tue, 5 Jul 2011 14:42:27 +0100

On 5 Jul 2011, at 08:58, RL 'Bob' Morgan wrote:

> they'll say sure, all of that is good enough to support our organization's business anyway.  But then if you show them LoA2 requirements that formalize all those things, cries of pain arise, and $100K compliance projects are drawn up. So we all generally do the right thing, we figure, but we faint when someone says "prove it".


I think many universities/colleges generally already do most of LOA2 for their "normal" 95% of users (standard staff/students), but meeting every single requirement in a demonstrable (to auditors) manner is where things get expensive.

And beyond that, when you start adding in the remaining 5% of users that most places have in their IDM/directories (a professor's visiting colleague from another institution who needed an account so we gave them one based on the say-so of the prof without checking their passport)... then life starts getting complicated and expensive.

Supporting LOA >=2 in our sector (and its federations) is a fine, and potentially extremely useful, idea/goal. Just don't expect it any time soon, and don't expect it to be ubiquitous, until a good business case is in place to drive both the required work (ROI on the $$$) and to make it worthwhile in dealing with pain it brings (the ensuing trantrums when we say no to the prof's friend because they don't have government issued ID on them...).

Dr Rhys Smith                                   e: smith@xxxxxxxxxxxxx
Engineering Consultant: Identity & Access Management  (GPG:0xDE2F024C)
Information Services,
Cardiff University,                            t: +44 (0) 29 2087 0126
39-41 Park Place, Cardiff,                     f: +44 (0) 29 2087 4285
CF10 3BB, United Kingdom.                      m: +44 (0) 7968 087 821