My thinking follows your; no, yes and how-would-you-even-do-that.
That being said, I believe somewhere in the various US federal standards there is something that say you must be IAL, AAL and FAL compliant. No doubt written by someone who
thought it safer to be comprehensive and didn’t quite think it through, consequently the FAL question does get asked where there is no federation.
Also, I see situations where someone sort of seems to be in charge, but seem uninterested in the mantle of “FEDERATION AUTHORITY.”
jimmy
From: Richard G. WILSHER (@Zygma Inc.) <RGW@Zygma.biz>
Sent: Tuesday, March 19, 2024 8:43 PM
To: Jimmy Jung <jimmy.jung@slandala.com>; wg-idassurance@kantarainitiative.org
Subject: RE: [WG-IDAssurance] FAL?
I have to assume that by ‘63C compliant’ you mean ‘conformant to the Kantara 63C_SAC criteria’, because you’d have a hard job determining
conformity/compliance against the NIST doc as published (which NIST have admitted was a bit of a ‘suck it and see’ approach - nice to notice that the idea of a Fedn Agrmnt has been adopted for rev.4).
We invented the notions of a Fedn Agrmnt and a Fedn Authy because without certainly the former one would have little against which
to assess, and the latter, well, it’s just good to have someone in charge (or to put it another way, at whom to point one’s finger). So I reckon it’s a ‘No’, a ‘Yes, if you must’ – I mean, I’d want to see that it functioned as a genuine cooperative, because
if there was only a single entity appearing to run the show then … aren’t they the authority?
And on your third question, I’d tend towards a definitive ‘No’ – I don’t see how can you have a federation without a federation ??
You should have your wife listen to the next IAWG call – she’d certainly be arranging to have you taken away to the funny farm!
That’s my Fedora thrown into the ring.
Richard G. WILSHER
CEO & Founder, Zygma Inc.
www.Zygma.biz
+1 714 797 9942
From: Jimmy Jung [mailto:jimmy.jung@slandala.com]
Sent: Tuesday, March 19, 2024 19:00
To: wg-idassurance@kantarainitiative.org
Subject: [WG-IDAssurance] FAL?
I recall us working on the FAL criteria, and I even recall when we came up with the concept of a Federation Agreement, I even recall my wife thinking we were all quite daft,
listening to one of our meetings as we drove down to the beach; but I don’t recall much more. So, as I was glancing through the criteria, I was struggling to answer the following:
Can you be 63C compliant, without a federation agreement, a federation authority or a federation. I think the answers are no, yes and I don’t think so.
That is to say, I think our criteria is set up to require an agreement, and folks that you are agreeing with – even if no one is “in-charge.” I will eventually get into it
deeper, but I base this on our criteria that says, “in the absence of a Federation Authority, the parties in the federation must organize the creation of a Federation Agreement between themselves.”
jimmy