On the Concordia call yesterday, we discussed the relevance of a survey around assurance (e.g. what do people understand it to be, what are the preferred frameworks, etc) - motivated in part to determine whether the poster child of LOA, NIST 800 63, is actually the assurance model that RPs would choose (if other pressures didn't impose it).
NIST 800 63 is meant to provide (indirectly) to SP/RPs information about the processes and technologies used by the IdP making some claim/statement about a subject - this info presumably useful to the RP deciding whether or not to accept the claim.
What other sort of information would help to convince an RP to accept the assertions of an IdP, if not an (abstracted) glimpse into the IdP's identity infrastructure?
If an RP felt it was adequately protected against any damages that would arise from a 'bad' claim, would it care about the IdP's processes? Claim insurance (filing a claim could get confusing)?
A number of analogies with sexual partner selection, undesirable consequences, and protection mechanisms spring to mind.
No comments:
Post a Comment