Subject Re: discussion on assurance
From Peter Schober <peter.schober@xxxxxxxxxxxx>
Date Wed, 6 Jul 2011 11:18:13 +0200

* Stefan Winter <stefan.winter@xxxxxxxxxx> [2011-07-06 08:56]:
> That is understood, of course. My point was merely about the point
> earlier in the thread about "knowing nothing" and "LoA1" being the same
> - they're not. We know much about the holders of these accounts, but by
> LoA1's definition of "same claimant" they can't be considered LoA1. They
> are much better than a "john.doe@xxxxxxxxx" account though.
> Such accounts sortof fall in the crack. It's like there's a LoA0.5
> missing somewhere... And since LoA0 isn't spelt out anywhere, it also
> wouldn't hurt to define it properly as "don't expect anything". Would
> have been nice if the NIST 800-63 would have included *some* guidance on
> what's below LoA1.

We wouldn't automagically be audited and certified to that level
either, so same difference (but with lower LOA as a result).