Friday, May 01, 2009

Snakes and Ladders

The level of assurance  (LoA) an SP/RP can ascribe to the assertions of an IDP/OP is determined by a number of factors- some of which, with respect to an SPs ability to ask for them to be changed, are fixed, and some mutable.

The fixed factors are those that the IdP, even if asked by an SP to modify in order to increase assurance, can't realistically change. Things like how the identity was proofed, how the credentials were issued, how the certification audit was performed etc.  While on any given SAML Authn Request, an SP can ask that the IdP follow greater rigor in the identity proofing process for a given identity, it shouldn't hold its breath waiting for the response (as it will take some time to get the user to come to the office and show their passport).

The mutable factors that impact assurance are those for which it is meaningful for the SP to ask for the OP to do something differently in order to increase the resultant assurance. How the user authenticates to the OP is the best (perhaps only?) example. Maybe asking to switch to a different federation protocol is another.

LoA depend on both fixed and mutable factors.


Because in run-time (ie at the time of the authentication request) an SP can only ask for (by definition) changes to the mutable factors, any run-time movement in the above 'assurance space' can only be along the horizontal axis. There are snakes to take you sideways, but no ladders to move you higher.

The fact that you can only move sideways in assurance space at run-time has consequences for LoA. If you want to be able to transition from one level to a higher level at run-time, the point in assurance space from where you start must already meet the criteria of the higher level (because there is no 'ladder' you can climb at run-time to move up).

You can see this in the following diagram. Starting point 1 exceeds the threshold of LoA 1 for both the fixed and mutable factors. But, after we move sideways in assurance space (by the SP requesting and getting a stronger authentication etc) so that the threshold for the mutable factors exceeds LoA2, the assurance from the fixed factors has not changed. Consequently, the ending position in assurance space does not meet the fixed threshold for LoA2, nor consequently the combined threshold.

Even though the assurance from the mutable factors increased, that of the fixed factors prevents the combination from jumping to the next LoA.

Starting point #2 however, because it already exceeds the fixed threshold for LoA2, does not prevent a transition from LoA1 to LoA2 if a move sideways along the mutable axes allows it.

The moral of the story? Ayn Rand said it for me

"The ladder of success is best climbed by stepping on the rungs of opportunity."

1 comment:

James McGovern said...

I posted my own thoughts here: