[DG-Concordia] AuthnContext & PAPE & ICAM

[David L. Wasley]

WRT:
-----
At 12:44 PM -0500 on 12/15/09, Paul Madsen wrote:

>is there a class of users who would always log-in at a higher LOA?
>
>Within the IdP enterprise, I'd guess not (i.e. even those users that 
>require higher LOA credentials would also have a lower LOA mate) but 
>perhaps not for federated actions at an SP?
>
>Paul
>

Interesting thread.  I would offer a few observations.

Most people want convenience.  They will authenticate at the highest 
level they can and simply use that for everything.  An example of an 
exception might be when travelling and using an Internet cafe where 
they can't use their PIV card so must revert to a password.

A corollary of this is that RPs/SPs should be prepared to accept 
"higher" LOAs even if they only require "lower" ones.  Consider also 
different "assurance profiles" where, e.g. Silver is a superset of 
Bronze so an RP/SP should be prepared to accept Silver even if Bronze 
is what it asks for.  We've talked about different ways this could be 
handled and whether it is the IdPs responsibility to assert the 
overlap (e.g. this assertion is both Silver and Bronze) or whether 
the RP/SP should figure that out (e.g. Silver is as good as GSA 
LOA-2).  The jury is still out on that one...

Users that are astute may want to avoid operating at a higher 
privilege level than necessary so may choose to authenticate at LOA-2 
for most of the time and then "step up" to LOA-3, e.g. with a second 
factor, when necessary.  Can they subsequently revoke that step up? 
They should be able to without having to log out completely ...

Other users may wish to have different personae for use with 
different aspects of their work or different communities.  In this 
case, they may need to switch between "identities" within the same 
IdP which, of course, could have different LOAs.  This could be a 
logout/login or maybe there could be a "I am now ..."

FWIW.

	David