The common Level of Assurance metric was conceived for a specific legal, technical and business context and does not fulfill the requirements for a comprehensive identity assurance metric. The requirements for a more complete metric are to communication the assurance level in public and private sectors, PKI and non-PKI technologies, and serve providers and users.
When communicating policies between an assuring and a relying actor there is a conflict of goals between simplicity and a high degree of detail that provides control. A simple scale like 4 levels means to mix apples and pears, but is easy to use in a large scale. An elaborate policy provides insight for the expert, but is too complex for most parties.
So there are 2 problems to solve:
- What qualities does the assurance between actors in a trust relationship encompass?
- How to communicate a policy that assures these qualities - a simple number or more complex data?
The qualities that need to be assured are information security and privacy, according to the scope of the TFMM.
