Subject RE: international standards for LOA
From Andrew Cormack <Andrew.Cormack@xxxxxx>
Date Wed, 6 Jul 2011 12:59:29 +0000

Heather and others
EURIM have published a discussion paper [1] comparing the NIST and UK Government versions of LOA, and concluding that there is a basic difference of objective. It concludes "The difference between UK and US approaches is fundamental, and cannot be easily resolved by simply 'shifting' UK IALs up by one. The US approach is based on technology-driven risk assessment, while the UK approach is based on legal practices. Both can diverge at any time, either as a result of technological developments or changes in legal practices".

That suggests to me as if it might be possible to harmonise either a technology/risk LoA or a legal LoA, but that harmonising across those purposes is likely to be challenging, since you can't control whether or when the basis for either of them might shift. Not sure whether that counts as good news or bad, but the clarification of why it's a hard problem was helpful to me :)



Andrew Cormack, Chief Regulatory Adviser, JANET(UK)
Lumen House, Library Avenue, Harwell, Didcot. OX11 0SG UK
Phone: +44 (0) 1235 822302

JANET, the UK's education and research network

JANET(UK) is a trading name of The JNT Association, a company limited
by guarantee which is registered in England under No. 2881024
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG

> -----Original Message-----
> From: Heather Flanagan [mailto:hlflanagan@xxxxxxxxxxxxx]
> Sent: 05 July 2011 15:52
> To: David Chadwick
> Cc: REFeds REFeds
> Subject: [refeds] international standards for LOA
> The concept of an international standardized set of values for LOA is
> something I was grumbling about last week offline.  The NIST guidelines
> are very useful, but are they international enough?  I think this is a
> useful concept to poke at, tho' perhaps not on the original thread.
> -heather f.
> ----- Original Message -----
> From: "David Chadwick" <d.w.chadwick@xxxxxxxxxx>
> To: "Robin Wilton" <racingsnake@xxxxxxxxxxx>
> Cc: "Nicole Harris" <Nicole.Harris@xxxxxxxxxxxxxxxxx>, "Licia Florio"
> <florio@xxxxxxxxxx>, "Lucy Lynch" <llynch@xxxxxxxxxxxxxxxx>, "Mikael
> Linden" <Mikael.Linden@xxxxxx>, "REFeds REFeds" <refeds@xxxxxxxxxx>
> Sent: Monday, July 4, 2011 11:39:13 AM
> Subject: Re: [refeds] draft charge, refeds working group on attribute
> release
> Hi Robin
> the confusion is easily avoided by having an internationally
> standardised attribute type called LOA, with standardised values. Then
> the type/value is carried in the protocol, rather than simply the
> value.
> If countries want to standardise their own attribute types for internal
> use they are free to do so, and they can then carry these values in
> protocol between themselves. Cross-border transfer then requires
> knowledge of country specific attributes, or use of the international
> standard for trans border messages.
> FYI, I was always using the NIST scheme in my messages.
> regards
> David