Subject Re: discussion on assurance
From Alex Reid <alex.reid@xxxxxxxxxx>
Date Fri, 08 Jul 2011 11:38:42 +0800

At 08:56 PM 7/07/2011, Peter Schober wrote:

* Alex Reid <alex.reid@xxxxxxxxxx> [2011-07-07 14:43]:
> While it is true that it might be unreasonable/impractical to
> require all IdPs to assert all their members at LOA2, it is not
> unrealistic to require them to assert *some* of their members at
> LOA2 (at least);  this would be required if we are authenticating
> users for special/expensive facilities like telescopes, particle
> colliders, supercomputers, etc.  But those will only ever be a
> fraction of the total user population of most IdPs, so the
> overhead/expense may be tolerable (especially as most institutions
> already do that for Grid users, etc).

This possibly depends on local IdM practices more than anything else,
but at least for the university I work for I would think that the
systems and processes that needed to be looked at (and audited) do not
differ significantly based on whether the electronic identities
therein represent e-science (or whatever the term is) users or not.

That is to say, it'd be the same effort (and costs) do to this for one
group of people as it would be to do this for (almost) all identities,
making the case of doing this only for a selected group economically
less alluring, not more. I may be wrong, of course.

The *process* may well be the same whether you do it for a few or a lot, but the current processes (and, I think, any suitable process) are very labour-intensive (needing to see people face-face), so would not scale well to the whole community.

Cheers, Alex.