Refeds


Subject Re: discussion on assurance
From John Bradley <ve7jtb@xxxxxxxxxx>
Date Tue, 5 Jul 2011 20:44:05 -0400

LoA is part of SAML, openID, and Information Cards.  

The hard part is not asserting it in the assertion,  the hard part is being able to trust it.

That is why we need federations to assert entity attributes in meta-data to indicate if a particular IdP is capable of making particular LoA assertions.

Sending it as a claim about the user is a bit of a hack.  It is a claim about the assertion.  That is why it is separate in SAML and openID.

John B.
On 2011-07-05, at 8:15 PM, David Chadwick wrote:

> 
> 
> On 05/07/2011 18:36, RL 'Bob' Morgan wrote:
> 
>> 
>> But it is very important to note that it is perfectly fine to have some
>> non-assured identities living alongside ones with qualified assurance
>> (1, 2, eg) in the same IdM system. Just because my system has some
>> "shared accounts" doesn't mean that my system's
>> well-identified-individual accounts can't be LoA2. Of course my system
>> has to be able to distinguish between the two.
>> 
> 
> and be able to carry this in protocol to the relying party. Which is why LOA has to be part of the protocol, since this is a dynamic decision.
> 
> regards
> 
> David
> 
> 
> -- 
> 
> *****************************************************************
> David W. Chadwick, BSc PhD
> Professor of Information Systems Security
> School of Computing, University of Kent, Canterbury, CT2 7NF
> Skype Name: davidwchadwick
> Tel: +44 1227 82 3221
> Fax +44 1227 762 811
> Mobile: +44 77 96 44 7184
> Email: D.W.Chadwick@xxxxxxxxxx
> Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
> Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html
> Entrust key validation string: MLJ9-DU5T-HV8J
> PGP Key ID is 0xBC238DE5
> 
> *****************************************************************