Refeds


Subject Re: draft charge, refeds working group on attribute release
From David Chadwick <d.w.chadwick@xxxxxxxxxx>
Date Tue, 05 Jul 2011 23:53:04 +0100



On 05/07/2011 21:06, Leif Johansson wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/05/2011 09:35 PM, David Chadwick wrote:
Hi Leif

unfortunately you have quoted 800-63 wrongly. The entropy required for
LOA 1 is only 1 in 2**10, or 1 in 1024, not 1 in 2**1024. This is very
very different. Appendix A also says that a system that assigns
subscribers 6 character passwords, randomly selected, from a 96 char
set, meets LOA 2 and has an entropy of 1 in 16K. So if Level 2 only
requires 6 random char passwords, how onerous could it be to meet LOA 1
with one sixteenth of the strength?

You are quite right. One answer to how difficult it is to meet these
requirements can be found in Eric Sacs notes I linked to.

This is not the requirements to meet NIST LOA 2, this is the requirements to meet "the audit requirements for the GSA profile as certified through OIX." This is quite different.

If the academic federation had different procedures and policies in place in order to qualify for LOA 2 in its federation (which everyone agrees to on joining), including such things as self certification with random audits, which reduces the costs significantly whilst not perceptibly reducing the risks to the participants, then we would have a way forward that was applicable for *our* federation.

Look at the IGTF and how it sets up its federation trust rules. This is not prohibitively expensive for its participants, otherwise they would not be joining it.

Federations need to develop their own trust rules that are appropriate for it.

And the academic federation does not like the NIST specifications, it could always define its own RefedsLOA attribute for passing between the partners to show what level of assurance they had each achieved, according to the Refeds Metric.

regards

David




	Cheers Leif
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk4TbsgACgkQ8Jx8FtbMZncauwCgtqQxJyhTEv4r01/C9N6IQi94
MFIAnjzb4B459hJU0PrcwkmEkZJ+cOMv
=/uXS
-----END PGP SIGNATURE-----


--

*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
School of Computing, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick@xxxxxxxxxx
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5

*****************************************************************