Subject Re: discussion on assurance
From Stefan Winter <stefan.winter@xxxxxxxxxx>
Date Wed, 06 Jul 2011 08:56:21 +0200


> Sure, at my institution we have thousands of these, unfortunately,
> some even used for significant business.  Departments like them.  Try
> to take them away in new environments (Google Apps, say) and you get
> slapped.
> But it is very important to note that it is perfectly fine to have
> some non-assured identities living alongside ones with qualified
> assurance (1, 2, eg) in the same IdM system.  Just because my system
> has some "shared accounts" doesn't mean that my system's
> well-identified-individual accounts can't be LoA2.  Of course my
> system has to be able to distinguish between the two.

That is understood, of course. My point was merely about the point
earlier in the thread about "knowing nothing" and "LoA1" being the same
- they're not. We know much about the holders of these accounts, but by
LoA1's definition of "same claimant" they can't be considered LoA1. They
are much better than a "john.doe@xxxxxxxxx" account though.

Such accounts sortof fall in the crack. It's like there's a LoA0.5
missing somewhere... And since LoA0 isn't spelt out anywhere, it also
wouldn't hurt to define it properly as "don't expect anything". Would
have been nice if the NIST 800-63 would have included *some* guidance on
what's below LoA1.


Stefan Winter

> This is unlike, say, poor password protection, which will invalidate
> assurance for all identities in the system (if the poor protection is
> system-wide).
>  - RL "Bob"

Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

Attachment: signature.asc
Description: OpenPGP digital signature