Subject Re: discussion on assurance
From Rhys Smith <smith@xxxxxxxxxxxxx>
Date Tue, 5 Jul 2011 19:16:12 +0100

On 5 Jul 2011, at 18:36, RL 'Bob' Morgan wrote:

> But it is very important to note that it is perfectly fine to have some non-assured identities living alongside ones with qualified assurance (1, 2, eg) in the same IdM system.  Just because my system has some "shared accounts" doesn't mean that my system's well-identified-individual accounts can't be LoA2.  Of course my system has to be able to distinguish between the two.

Actually that's a very good, and very obvious, point which I completely forgot about.

I think the realistic way forward for LOA in our environment is to put the technical and policy stuff in place (which from a federation perspective is going to be relatively small I think, especially compared to the stuff institutions will have to do) to enable higher level of assurance stuff; and then institutions can start dabbling with specific users who we enforce the requirements upon to give them access to services that require a higher LoA. Which will, of course, require services that do require higher LoA... bit of a chicken and egg thing I'm afraid!

Think any kind of big bang approach to getting this in place is just doomed to a short fiery death at the hands of IDM people in institutions.

Dr Rhys Smith                                   e: smith@xxxxxxxxxxxxx
Engineering Consultant: Identity & Access Management  (GPG:0xDE2F024C)
Information Services,
Cardiff University,                            t: +44 (0) 29 2087 0126
39-41 Park Place, Cardiff,                     f: +44 (0) 29 2087 4285
CF10 3BB, United Kingdom.                      m: +44 (0) 7968 087 821