Refeds


Subject Re: discussion on assurance
From David Chadwick <d.w.chadwick@xxxxxxxxxx>
Date Wed, 06 Jul 2011 11:48:57 +0100

Hi John

there are two separate issues here

1. Trusting the IDP to make assertions to a particular level of
assurance (the trustworthiness of the IDP) and

2. Trusting that the particular user has been authenticated to a
particular level.

1. is the essential foundation of 2. If you dont trust the IDP then you
wont trust its assertions about a particular user.

As Bob indicated, an IDP can have a mix of users who have been
registered differently so their LOAs are different (no 2) above.

Passing the LOA in the protocol provides no 2. above. Its not a hack. Its essential.

On 06/07/2011 01:44, John Bradley wrote:
LoA is part of SAML, openID, and Information Cards.

The hard part is not asserting it in the assertion,  the hard part is
being able to trust it.

that is no 1 above


That is why we need federations to assert entity attributes in
meta-data to indicate if a particular IdP is capable of making
particular LoA assertions.

that is no 1 above

regards

David


Sending it as a claim about the user is a bit of a hack.  It is a
claim about the assertion.  That is why it is separate in SAML and
openID.

John B. On 2011-07-05, at 8:15 PM, David Chadwick wrote:



On 05/07/2011 18:36, RL 'Bob' Morgan wrote:


But it is very important to note that it is perfectly fine to
have some non-assured identities living alongside ones with
qualified assurance (1, 2, eg) in the same IdM system. Just
because my system has some "shared accounts" doesn't mean that my
system's well-identified-individual accounts can't be LoA2. Of
course my system has to be able to distinguish between the two.


and be able to carry this in protocol to the relying party. Which
is why LOA has to be part of the protocol, since this is a dynamic
decision.

regards

David


--

*****************************************************************
David W. Chadwick, BSc PhD Professor of Information Systems
Security School of Computing, University of Kent, Canterbury, CT2
7NF Skype Name: davidwchadwick Tel: +44 1227 82 3221 Fax +44 1227
762 811 Mobile: +44 77 96 44 7184 Email: D.W.Chadwick@xxxxxxxxxx
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site:
http://www.cs.kent.ac.uk/research/groups/iss/index.html Entrust key
validation string: MLJ9-DU5T-HV8J PGP Key ID is 0xBC238DE5

*****************************************************************



--

*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
School of Computing, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick@xxxxxxxxxx
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5

*****************************************************************