Friday, March 13, 2009

Assurance Math

A thread on the OpenID list is exploring the capability of OpenID to meet the requirements of different  NIST LOAs, and thereby be relevant for SSO to US government services.

I submit the following 


Areq = the level of assurance requried by a given RP for a given resource
Aid = the level of assurance engendered by the OP/IDP's  identification & registration processes
Aauthn =  the level of assurance engendered by the OP/IDP's authentication mechanism
Aprotocol = the level of assurance engendered by the protocol by which the IDP delivers 'assertions' to the RP\

So, the smallest of the factors that determine assurance (i.e. Aid, Aauthn, and Aprotocol) must be greater than the level of assurance required by the RP (i.e. Areq). Nothing  more than the 'weakest link' principle as formula.


1) For the sake of simplicity, Aid is a catch-all factor for any process the OP follows that is not authentication   
2) Any of  Aid, Aauthn, and Aprotocol serve to constrain the maximum assurance possible. Consequently, there is no benefit in any one factor being significantly greater than the others - it's just wasted cost. The corollary to this is that no one assurance factor is more critical than another.

No comments: