Sorry a IdP issuing a LoA 1 or 2 response as requested if the user is proofed and authenticated at LoA 2 is what I meant as step down. The user may have been proofed at LoA 2 at say PayPal. PayPal supports both IMI and openID. They could authenticate to PayPal with a LoA 2 infocard but if the assertion to the RP is over openID then it can only be LoA 1. So in the openID case it is step down because it is a LoA 1 assertion based on a LoA 2 primary authenticator. A LoA 1 secondary assertion can never be more then LoA 1 from the RP perspective even if the Primary authenticator is a LoA 4 PIV card. If the assertion is a LoA 3 SAML assertion and the user is proofed to LoA 3 and they have a choice of 2^18 entropy password, or LoA 4 PIV card. The assertion from a ICAM perspective is LoA 1 or LoA 3 depending on what they used as there primary authenticator. I say down, you say up perhaps its a northern vs southern hemisphere thing. There are three variables proofing, Primary Authenticator, and Secondary Authenticator/Assertion. The other thing to remember is that the user can't be allowed administrative access to the account if they are authenticated at the lower LoA without compromising the Higher LoA. That is something I would look for as an assessor for a multi LoA IdP. John B. On 2009-12-14, at 8:11 PM, Paul Madsen wrote:
John, I wouldnt characterize what you are describing (ie an OP being able to issue both LOA1 & LO2 assertions) as 'step-down'.
A 'step-up' scenario from LOA1 to LOA2 would be
proofing2+authn1 -------- (when requested by an RP) --------> proofing2+authn2
as you cant (easily) proof real-time, the only variable for the stepping up is the authentication mechanism.
But what you are describing is the OP just being able to issue either LOA1 or LOA2 as appropriate, given that the proofing supports both.
Paul
John Bradley wrote:
OMB M-04-04 doesn't require non correlatable identifiers.
All LoA 1 identifiers are by definition pseudonymous because they are not identity proofed.
ICAM requires non-coralatable identifiers for privacy reasons that are outside of OMB-04-04 and SP-800-63.
A IMI info card can contain claims for LoA 1,2 and 3.
A openID can only be LoA 1 because it dosn't meet the requirements of LoA 2.
Once openID is suitable for LoA 2 and a IdP/OP is certified by a ICAM Trust framework provider, that IDP can step down a LoA 2 proofed account to make a LoA 1 assertion about it.
IdP can step down but not up.
John B. On 2009-12-14, at 7:08 PM, RL 'Bob' Morgan wrote:
The LoA1 in OMB M-04-04 is somewhat unique to other levels because it requires Pseudonyms(PPIDs) and no personal identified information. Those policies are defined separately from the LoA1 policy and used by IDPs to generate response messages.
I am not sure what you mean by this. OMB 04-04 says that what it calls "anonymous credentials" *may* be used with LoAs 1 and 2. The ICAM OpenID profile says that PPIDs must be used, but also permits other personal information to be requested by the RP and provided by the OP.
If IDPs provide support more than one levels, stipulating a desired LoA makes sense but I haven't seen IDPs supporting multi-levels. RPs may be responsible to manage WLs for each levels to find IDPs to provide services they need.
We're expecting that the typical US higher-education IdP will support multiple LoAs. It doesn't make sense to segregate populations into separate IdPs by LoA. We're also expecting that RPs requiring LoA will ask for the LoA they need, rather than having to configure IdPs to know which RPs require what.
- RL "Bob"
_______________________________________________ DG-Concordia mailing list DG-Concordia@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-concordia
_______________________________________________ DG-Concordia mailing list DG-Concordia@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-concordia