Subject Re: draft charge, refeds working group on attribute release
From "Leif Johansson" <leifj@xxxxxxxx>
Date Wed, 6 Jul 2011 08:51:22 +0200

6 jul 2011 kl. 00:53 skrev "David Chadwick" <d.w.chadwick@xxxxxxxxxx>:

On 05/07/2011 21:06, Leif Johansson wrote:
Hash: SHA1

On 07/05/2011 09:35 PM, David Chadwick wrote:
Hi Leif

unfortunately you have quoted 800-63 wrongly. The entropy required for
LOA 1 is only 1 in 2**10, or 1 in 1024, not 1 in 2**1024. This is very
very different. Appendix A also says that a system that assigns
subscribers 6 character passwords, randomly selected, from a 96 char
set, meets LOA 2 and has an entropy of 1 in 16K. So if Level 2 only
requires 6 random char passwords, how onerous could it be to meet LOA 1
with one sixteenth of the strength?

You are quite right. One answer to how difficult it is to meet these
requirements can be found in Eric Sacs notes I linked to.

This is not the requirements to meet NIST LOA 2, this is the requirements to meet "the audit requirements for the GSA profile as certified through OIX." This is quite different.

Look closely. Many of the bits are the same. Follow the links.