[DG-Concordia] AuthnContext & PAPE & ICAM
John Bradley
ve7jtb at ve7jtb.com
Mon Dec 14 17:26:56 EST 2009
OMB M-04-04 doesn't require non correlatable identifiers.
All LoA 1 identifiers are by definition pseudonymous because they are not identity proofed.
ICAM requires non-coralatable identifiers for privacy reasons that are outside of OMB-04-04 and SP-800-63.
A IMI info card can contain claims for LoA 1,2 and 3.
A openID can only be LoA 1 because it dosn't meet the requirements of LoA 2.
Once openID is suitable for LoA 2 and a IdP/OP is certified by a ICAM Trust framework provider, that IDP can step down a LoA 2 proofed account to make a LoA 1 assertion about it.
IdP can step down but not up.
John B.
On 2009-12-14, at 7:08 PM, RL 'Bob' Morgan wrote:
>
>> The LoA1 in OMB M-04-04 is somewhat unique to other levels because it
>> requires Pseudonyms(PPIDs) and no personal identified information. Those
>> policies are defined separately from the LoA1 policy and used by IDPs to
>> generate response messages.
>
> I am not sure what you mean by this. OMB 04-04 says that what it calls
> "anonymous credentials" *may* be used with LoAs 1 and 2. The ICAM OpenID
> profile says that PPIDs must be used, but also permits other personal
> information to be requested by the RP and provided by the OP.
>
>> If IDPs provide support more than one levels, stipulating a desired LoA
>> makes sense but I haven't seen IDPs supporting multi-levels. RPs may be
>> responsible to manage WLs for each levels to find IDPs to provide
>> services they need.
>
> We're expecting that the typical US higher-education IdP will support
> multiple LoAs. It doesn't make sense to segregate populations into
> separate IdPs by LoA. We're also expecting that RPs requiring LoA will
> ask for the LoA they need, rather than having to configure IdPs to know
> which RPs require what.
>
> - RL "Bob"
>
> _______________________________________________
> DG-Concordia mailing list
> DG-Concordia at kantarainitiative.org
> http://kantarainitiative.org/mailman/listinfo/dg-concordia
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2468 bytes
Desc: not available
Url : http://kantarainitiative.org/pipermail/dg-concordia/attachments/20091214/9a896c0c/attachment.bin
More information about the DG-Concordia
mailing list