...
The common Level of Assurance metric like in NIST SP 800-63 and Kantara IAF was conceived for a specific legal, technical and business context and does not fulfill the requirements for a comprehensive identity assurance metric. The requirements for a more complete metric are to communication the assurance level in public and private sectors, PKI and non-PKI technologies, and serve providers and users.
When communicating policies between an assuring and a relying actor there is a conflict of goals between simplicity and a high degree of detail that provides control. A simple scale like 4 levels means to mix apples and pears, but is easy to use in a large scale. An elaborate policy provides insight for the expert, but is too complex for most parties.
So there are 2 problems to solve:
- What qualities does the assurance between actors in a trust relationship encompass?
- How to communicate a policy that assures these qualities - a simple number or more complex data?
Re 1.) Assurance scopeThe LoA is focused on the trust relationship between Relying Party and Identity Provider, implying a backing trust relationship between IdP and Subscriber/User.
The qualities that need to be assured are information security and privacy, according to the scope of the TFMM. The Relying Party perspective is usually depicted with the LoA. The following picture shows LoA and an alternative model based on credential life and usage cycles.
...