Subject Re: international standards for LOA
From Leif Johansson <leifj@xxxxxxxx>
Date Wed, 13 Jul 2011 11:06:11 +0200

Hash: SHA1

On 07/11/2011 04:13 PM, Alex Reid wrote:
> At 10:52 PM 5/07/2011, Heather Flanagan wrote:
>> The concept of an international standardized set of values for LOA is
>> something I was grumbling about last week offline.  The NIST
>> guidelines are very useful, but are they international enough?  I
>> think this is a useful concept to poke at, tho' perhaps not on the
>> original thread.
> When last I looked (a couple of years ago, now) the draft Australian
> standards were similar (but different!) to the NIST ones.  In the AAF's
> schema, we opted for the NIST ones, but have borrowed from the
> Kantara/Liberty implementation framework in setting out the procedures
> required (eg for level 2 - see
>  The NIST ones
> were really not specific enough, as I think David has often said...

This is a common misconception. The NIST SP 800-63 was never meant to
be specific enough to put in the hands of auditors, hence the OIX, Safe
BioPharma, Kantara IAF and many other trust frameworks that rely on
800-63 but add specific assessment criteria.

	Cheers Leif
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla -