...
Author: Rainer Hörbe
Date: 23. March 2011
Abstract
Common Assurance Frameworks for Identity Federations provide a metric the strength of the authentication process and the underlying identification of the user. This metric is called LoA assurance level (AL). However, to provide a comprehensive metric for all protection requirements this metric needs to be extended.
Context of LoA
1. Entity Authentication Assurance vs. Trusted Path: Sign-on vs. Session
...
- provide confidentiality, integrity and availabiltiy of the communication and comply to privacy requirements;
- assure both identity and attributes;
- regard the protection requirements of all parties related to the transaction, that would include PII of third parties not part of the transaction and protection requirements of end-users, organizations that the user is affiliated with and trust service providers;
- beyond the session: regulate further processing and storage of data including hard copies, log and audit files.
Enhanced LoA based on credential life and usage cycles
The following picture shows the common LoA and an enhanced model based on credential life and usage cycles. It segregates and adds components of/to the LoA, but does not imply to communicate all these to the Relying Party. It is still possible to funnel each single metric into a common scale.
...