The Australian higher education federation has developed a proposal for Implementing Levels of Assurance in a Trust Federation using PKI and Shibboleth

The proposal was commented by Alex Reid as

in Australia we are going with the concept of a “floor of trust” which is rather higher than NIST’s Level 1 assurance level, as it implies/requires that an independent (responsible) authority (namely the University of an agent of the university) has verified the identity to some degree – more, anyway, than the self-validating Level 1 assurance that OpenID, Facebook, etc provide.

The need for level 1,5 seem to crop up in various contexts, as self-asserted identity is not considered good enough for some use cases.  Those use cases does not want to support the full level 2, with a separate gadget (or one-time passwords), since the cost is deemed too high. We might have to wait for Incidents, to assess if the cost of Level2 is really higher than having multiple Incidents in our community.  Cost-effectiveness of security measures is tricky, as the real cost is know only after something went Wrong.

Levels of Assurance is either a quagmire where the most brilliant minds of our community will fall, or an interesting space to watch.  Could be both at the same time, and we could market this whole discussion as a reality show where we charge enough money from TV to cover the costs of implementing it.

Advertisements