Subject Re: international standards for LOA
From Heather Flanagan <hlflanagan@xxxxxxxxxxxxx>
Date Wed, 6 Jul 2011 09:50:05 -0400 (EDT)

----- Original Message -----
From: "Andrew Cormack" <Andrew.Cormack@xxxxxx>
To: "Heather Flanagan" <hlflanagan@xxxxxxxxxxxxx>, "David Chadwick" <d.w.chadwick@xxxxxxxxxx>
Cc: "REFeds REFeds" <refeds@xxxxxxxxxx>
Sent: Wednesday, July 6, 2011 5:59:29 AM
Subject: RE: [refeds] international standards for LOA

Heather and others
EURIM have published a discussion paper [1] comparing the NIST and UK Government versions of LOA, and concluding that there is a basic difference of objective. It concludes "The difference between UK and US approaches is fundamental, and cannot be easily resolved by simply 'shifting' UK IALs up by one. The US approach is based on technology-driven risk assessment, while the UK approach is based on legal practices. Both can diverge at any time, either as a result of technological developments or changes in legal practices".

That suggests to me as if it might be possible to harmonise either a technology/risk LoA or a legal LoA, but that harmonising across those purposes is likely to be challenging, since you can't control whether or when the basis for either of them might shift. Not sure whether that counts as good news or bad, but the clarification of why it's a hard problem was helpful to me :)



Well, if it was easy, everyone would do it! ;-)  But yes, this link it helpful to me also, thanks!

-heather f.