From Alan.Sill at ttu.edu Thu Oct 9 16:23:47 2008 From: Alan.Sill at ttu.edu (Alan Sill) Date: Thu, 9 Oct 2008 16:23:47 -0500 Subject: [loa-bof] Fwd: [IDM] level of assurance/in-person proofing ldap attribute References: <016301c92a52$9fd1c720$df755560$@Axelsson@its.uu.se> Message-ID: <60329A6E-BEA0-42B5-A6B1-74205CEC6128@ttu.edu> Copy of a thread from the Educause IdM work group Begin forwarded message: > From: P?l Axelsson > Date: October 9, 2008 4:04:29 PM CDT > To: "IDM at LISTSERV.EDUCAUSE.EDU" > Subject: [IDM] SV: [IDM] SV: [IDM] level of assurance/in-person > proofing ldap attribute > Reply-To: Identity Management Constituent Group Discussion list > > > Hi again, > > It's as usual very nice to have an open specification but I think > that in a > couple of years we'll see a harmonization on standard values for > eduPersonAssurance. The reason I think that this will happen is > primarily > two. SPs want to have the same setup values for different customers in > different federations. And local campus administrators do not want > to handle > multiple values due to the workload. I look forward to the process > regarding > this. > > I've already seen an attempt define this type harmonization of LoA > in an > URN. There is a OASIS draft from July this year that in chapter 3 > defines 4 > URNs for NIST 800-63. The values are > "urn:oasis:names:tc:SAML:2.0:post:ac:classes:nist-800-63:v1-0-2:1", > "urn:oasis:names:tc:SAML:2.0:post:ac:classes:nist-800-63:v1-0-2:2", > "urn:oasis:names:tc:SAML:2.0:post:ac:classes:nist-800-63:v1-0-2:3" and > "urn:oasis:names:tc:SAML:2.0:post:ac:classes:nist-800-63:v1-0-2:4". > For more > information please see "Level of Assurance Authentication Context > Profiles > for SAML 2.0", http://wiki.oasis-open.org/security/SAML2LOAAuthnCtxProfile > . > > P?l Axelsson > >> -----Ursprungligt meddelande----- >> Fr?n: Identity Management Constituent Group Discussion list >> [mailto:IDM at LISTSERV.EDUCAUSE.EDU] F?r Brendan Bellina >> Skickat: den 9 oktober 2008 19:08 >> Till: IDM at LISTSERV.EDUCAUSE.EDU >> ?mne: Re: [IDM] SV: [IDM] level of assurance/in-person proofing ldap >> attribute >> >> The idea was to get an attribute in the spec so that people could >> start making use of it. It is non-restrictive because we did not want >> to limit its usefulness nor did we know each potential use case. So >> both federation defined values and local values are fine. SP's can >> disregard values they do not recognize. >> >> Regards, >> >> Brendan Bellina >> MACE-Dir chair >> University of Southern California >> >> On Oct 9, 2008, at 8:36 AM, Jones, Mark B wrote: >> >>> I think the idea was that the values in this attribute should >>> reference well >>> known, well defined profiles. For instance InCommon Silver. >>> >>> If a particular institution wanted to define their own values that >>> is OK but >>> it complicates negotiations between SP and IdP because you first >>> have to >>> understand the LoA profiles that going to be asserted. >>> >>> -----Original Message----- >>> From: Identity Management Constituent Group Discussion list >>> [mailto:IDM at LISTSERV.EDUCAUSE.EDU] On Behalf Of P?l Axelsson >>> Sent: Thursday, October 09, 2008 7:11 AM >>> To: IDM at LISTSERV.EDUCAUSE.EDU >>> Subject: [IDM] SV: [IDM] level of assurance/in-person proofing ldap >>> attribute >>> >>> Hi, >>> >>> The problem with this grand solution is that it's dynamic and >>> therefore the >>> values will be different between schools. This is a multi-tier >>> problem all >>> service providers must learn the values for different schools. The >>> solution >>> for this is that in a federation the values is defined for level of >>> assurance. If the a school is a member of different federations they >>> have >>> different values for each federation. It can solved with a value >>> translator >>> or that federations use the same value set. >>> >>> P?l Axelsson >>> >>>> -----Ursprungligt meddelande----- >>>> Fr?n: Identity Management Constituent Group Discussion list >>>> [mailto:IDM at LISTSERV.EDUCAUSE.EDU] F?r Caskey, Paul >>>> Skickat: den 8 oktober 2008 17:42 >>>> Till: IDM at LISTSERV.EDUCAUSE.EDU >>>> ?mne: Re: [IDM] level of assurance/in-person proofing ldap >>>> attribute >>>> >>>> Hi Dave- >>>> >>>> The latest rev of eduPerson (http://www.nmi- >>>> edit.org/eduPerson/internet2-mace-dir-eduperson-200806.html) >> contains >>>> eduPersonAssurance for listing Identity Assurance Profile(s) with >>>> which >>>> a user/IdP complies. >>>> >>>> >>>> >>>>> -----Original Message----- >>>>> From: Identity Management Constituent Group Discussion list >>>>> [mailto:IDM at LISTSERV.EDUCAUSE.EDU] On Behalf Of David Alexander >>>>> Sent: Wednesday, October 08, 2008 10:37 AM >>>>> To: IDM at LISTSERV.EDUCAUSE.EDU >>>>> Subject: [IDM] level of assurance/in-person proofing ldap >>>>> attribute >>>>> >>>>> Is there a standard ldap attribute people are using for level of >>>>> assurance >>>>> or to indicate in-person proofing? >>>>> >>>>> It seems like schools are just putting something in their local >>>>> eduPerson >>>>> schema. Is this the current best practice? >>>>> >>>>> Dave >>>>> >>>>> -- >>>>> Ohio University >>>>> Alan Sill, Ph.D Senior Scientist, High Performance Computing Center Adjunct Professor of Physics TTU ==================================================================== : Alan Sill, Texas Tech University Office: Admin 233, MS 4-1167 : : e-mail: Alan.Sill at ttu.edu ph. 806-742-4350 fax 806-742-4358 : ====================================================================