[loa-bof] Fwd: [IDM] level of assurance/in-person proofing ldap attribute

Alan Sill Alan.Sill at ttu.edu
Thu Oct 9 16:23:47 CDT 2008 

Copy of a thread from the Educause IdM work group

Begin forwarded message:

> From: Pål Axelsson <Pal.Axelsson at ITS.UU.SE>
> Date: October 9, 2008 4:04:29 PM CDT
> To: "IDM at LISTSERV.EDUCAUSE.EDU" <IDM at LISTSERV.EDUCAUSE.EDU>
> Subject: [IDM] SV: [IDM] SV: [IDM] level of assurance/in-person  
> proofing ldap attribute
> Reply-To: Identity Management Constituent Group Discussion list <IDM at LISTSERV.EDUCAUSE.EDU 
> >
>
> Hi again,
>
> It's as usual very nice to have an open specification but I think  
> that in a
> couple of years we'll see a harmonization on standard values for
> eduPersonAssurance. The reason I think that this will happen is  
> primarily
> two. SPs want to have the same setup values for different customers in
> different federations. And local campus administrators do not want  
> to handle
> multiple values due to the workload. I look forward to the process  
> regarding
> this.
>
> I've already seen an attempt define this type harmonization of LoA  
> in an
> URN. There is a OASIS draft from July this year that in chapter 3  
> defines 4
> URNs for NIST 800-63. The values are
> "urn:oasis:names:tc:SAML:2.0:post:ac:classes:nist-800-63:v1-0-2:1",
> "urn:oasis:names:tc:SAML:2.0:post:ac:classes:nist-800-63:v1-0-2:2",
> "urn:oasis:names:tc:SAML:2.0:post:ac:classes:nist-800-63:v1-0-2:3" and
> "urn:oasis:names:tc:SAML:2.0:post:ac:classes:nist-800-63:v1-0-2:4".  
> For more
> information please see "Level of Assurance Authentication Context  
> Profiles
> for SAML 2.0", http://wiki.oasis-open.org/security/SAML2LOAAuthnCtxProfile 
> .
>
> Pål Axelsson
>
>> -----Ursprungligt meddelande-----
>> Från: Identity Management Constituent Group Discussion list
>> [mailto:IDM at LISTSERV.EDUCAUSE.EDU] För Brendan Bellina
>> Skickat: den 9 oktober 2008 19:08
>> Till: IDM at LISTSERV.EDUCAUSE.EDU
>> Ämne: Re: [IDM] SV: [IDM] level of assurance/in-person proofing ldap
>> attribute
>>
>> The idea was to get an attribute in the spec so that people could
>> start making use of it. It is non-restrictive because we did not want
>> to limit its usefulness nor did we know each potential use case. So
>> both federation defined values and local values are fine. SP's can
>> disregard values they do not recognize.
>>
>> Regards,
>>
>> Brendan Bellina
>> MACE-Dir chair
>> University of Southern California
>>
>> On Oct 9, 2008, at 8:36 AM, Jones, Mark B wrote:
>>
>>> I think the idea was that the values in this attribute should
>>> reference well
>>> known, well defined profiles.  For instance InCommon Silver.
>>>
>>> If a particular institution wanted to define their own values that
>>> is OK but
>>> it complicates negotiations between SP and IdP because you first
>>> have to
>>> understand the LoA profiles that going to be asserted.
>>>
>>> -----Original Message-----
>>> From: Identity Management Constituent Group Discussion list
>>> [mailto:IDM at LISTSERV.EDUCAUSE.EDU] On Behalf Of Pål Axelsson
>>> Sent: Thursday, October 09, 2008 7:11 AM
>>> To: IDM at LISTSERV.EDUCAUSE.EDU
>>> Subject: [IDM] SV: [IDM] level of assurance/in-person proofing ldap
>>> attribute
>>>
>>> Hi,
>>>
>>> The problem with this grand solution is that it's dynamic and
>>> therefore the
>>> values will be different between schools. This is a multi-tier
>>> problem all
>>> service providers must learn the values for different schools. The
>>> solution
>>> for this is that in a federation the values is defined for level of
>>> assurance. If the a school is a member of different federations they
>>> have
>>> different values for each federation. It can solved with a value
>>> translator
>>> or that federations use the same value set.
>>>
>>> Pål Axelsson
>>>
>>>> -----Ursprungligt meddelande-----
>>>> Från: Identity Management Constituent Group Discussion list
>>>> [mailto:IDM at LISTSERV.EDUCAUSE.EDU] För Caskey, Paul
>>>> Skickat: den 8 oktober 2008 17:42
>>>> Till: IDM at LISTSERV.EDUCAUSE.EDU
>>>> Ämne: Re: [IDM] level of assurance/in-person proofing ldap  
>>>> attribute
>>>>
>>>> Hi Dave-
>>>>
>>>> The latest rev of eduPerson (http://www.nmi-
>>>> edit.org/eduPerson/internet2-mace-dir-eduperson-200806.html)
>> contains
>>>> eduPersonAssurance for listing Identity Assurance Profile(s) with
>>>> which
>>>> a user/IdP complies.
>>>>
>>>>
>>>>
>>>>> -----Original Message-----
>>>>> From: Identity Management Constituent Group Discussion list
>>>>> [mailto:IDM at LISTSERV.EDUCAUSE.EDU] On Behalf Of David Alexander
>>>>> Sent: Wednesday, October 08, 2008 10:37 AM
>>>>> To: IDM at LISTSERV.EDUCAUSE.EDU
>>>>> Subject: [IDM] level of assurance/in-person proofing ldap  
>>>>> attribute
>>>>>
>>>>> Is there a standard ldap attribute people are using for level of
>>>>> assurance
>>>>> or to indicate in-person proofing?
>>>>>
>>>>> It seems like schools are just putting something in their local
>>>>> eduPerson
>>>>> schema.  Is this the current best practice?
>>>>>
>>>>> Dave
>>>>>
>>>>> --
>>>>> Ohio University
>>>>> <http://edirectory.ohio.edu/?$search?uid=alexandd>

Alan Sill, Ph.D
Senior Scientist, High Performance Computing Center
Adjunct Professor of Physics
TTU

====================================================================
:  Alan Sill, Texas Tech University  Office: Admin 233, MS 4-1167  :
:  e-mail: Alan.Sill at ttu.edu   ph. 806-742-4350  fax 806-742-4358  :
====================================================================

More information about the loa-bof mailing list