Refeds


Subject Re: discussion on assurance
From Alex Reid <alex.reid@xxxxxxxxxx>
Date Thu, 07 Jul 2011 20:11:57 +0800

At 01:31 AM 5/07/2011, David Chadwick wrote:

I dont know if this is causing confusion or not, but a federation without a trust infastructure, ie running at LoA 1, and is no different to organisations simply connecting together over the normal Internet. And you dont need a federation for this, just technical protocol specifications.

What I think is needed are two things

i) implemented support for passing the LoA in protocol between the IdP and SP (I mean that the LOA is actually being sent in practice, not just support on paper for how it can be done, which is what we have today)

ii) an intermediate level of assurance between 1 and 2 which lowers the threshold for joining the federation, and can therefore differentiate between Facebook self asserted attributes (at LoA 1) and University asserted ones (at n, where n is 1<n<2 )

This is the conclusion we came to in Australia, resulting in a real desire to implement a NIST level 1.5 - not as assured as level 2, but better than level 1 as it involved a degree of identity checking by the institution, so not self-asserted. At one time we called this the "base level of assurance for joining the federation".

Currently, we don't implement any of this, though I'm sure that will change as SPs join who want to be assured (as specified levels of assurance) they are dealing with the right set of users. For now, they're prepared to accept that the IdPs assert that a user is a legitimate member of the organisation (knowing something about the process involved in that assertion - that is well above self-assertion).

But you will notice that we do have a couple of mandatory attributes where this info will be put/carried in due course - see http://www.aaf.edu.au/about/federation-rules/ - the attributes are listed at the end of the Rules.

Cheers, Alex.

-------------------------------------------------------
T Alex Reid
Advisor, eResearch & Middleware
AARNet (Australia's NREN)
and
Honorary Professorial Fellow
School of Computer Science & Software Engineering
The University of Western Australia.
home address  71A Raymond Street, Yokine, WA, 6060
ph  +61 8 9345 0440
mobile  +61 40 888 5515
email  alex.reid@xxxxxxxxxx