Wednesday, October 17, 2007

Cardspace LoA

In discussing Cardspace's relaxation of the SSL requirement for RPs, Pam writes
We now theoretically will have three different assurance levels going, based on three different ssl certificate levels (no certs, regular certs, and HA certs).
For there to be 3 Cardspace assurance levels would imply that the LoA is the same for self-asserted and managed cards. Is this the case? If authentication (and not the transfer of other attributes) is the desired function, can an Infocard RP have the same level of assurance (i.e. confidence that the individual presenting the card is the valid one) in the two different models?

Typically the LoA an RP can ascribe to a credential is determined by a number of factors, some technical and some not (i.e. business & legal). A self-asserted card would appear to deprecate all the non-technical factors, as there need be no partner IdP with which contracts would be signed (presumably Microsoft has appropriately covered its legal butt with a disclaimer somewhere in the shrink-wrap trail so they aren't in the liability mix)

If nothing else, a managed card would seem to have more moving parts that could impact assurance.


Phil Hunt said...

It seems to me there are a lot of cases where the IdP has an interest in assuring that only the correct parties get the information and that it be provided securely.

There are many cases (e.g. law enforcement) where this might be a wee bit critical.

Now there are now guarantees.

Eric Norman said...

Level of Assurance is not the same as "level of security".

LoA is determined at least as much by the practices of the assurer (IdP) than it is by any cryptographic prestigitaon.

Documents like NIST SP 800-63 (see section 7) provide examples and guidance about what such practices might be.

Paul Madsen said...

Phil, of course, but I dont see the connection to LoA?

Eric, of course, but I never claimed that LoA was all about crypto security. Or are you responding to Phil?

And if you want to read about assurance, then OMB m04-04 is a better start.

JeffB said...

In the Information Card paradigm the certs are used for both XML encryption and for server authentication. The LoA is the LoA for the server's identity, not the client.

Paul Madsen said...

Jeff, I am thinking from the RP's PoV. Can (or will) the RP place the same confidence in an authentication facilitated by a personal card as it would for one facilitated by a managed card?

The answer is presumably yes if the RP thinks of assurance in sufficiently coarse chunks. For instance, I expect both could qualify (assuming the other criteria are met) for NIST 800-63 Level 3?

Similarly, both managed & personal cards would be 'phishing-resistant' as defined by PAPE.