Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

The topic how to use Assurance Levels pertains to different trust framework components such as identity assurance or privacy. _ _I think that we need a clear model of assurance metrics to build trust frameworks and would like to outline some thoughts on such a model.

Levels of Assurance (of identity, authentication, privacy, user control, session protection, service level etc.) shall be simple to use and provide comprehensive information on the safeguards that the assuring actor implemented to satisfy the relying actor. These two requirements are obviously in opposition. Simple use is afforded with a single scale (like 1-4), whereas a comprehensive policy is more like the SAML Authentication Context with 50 elements, end even that does not cover all areas.

What are the basic requirements?

Assurance metrics provide the relying actor with the assurance that its protection requirements are fulfilled with a mutually understood minimum quality level. The assurance has to be communicated in a structured form with some granularity. The key question is the granularity. Do we have to provide a fat list in the size of the ISO 27002 paper, or a single number that covers everything from information security to privacy? The most simple signal to an end user would be a binary, displaying the existence or absence of some assurance.Studies regarding end user's perception of SSL-usage in browsers are not encouraging and definitely point in the direction to make the UI as simple and consistent as possible.

I suggest taking the field of consumer reports as a reference. If Stiftung Warentest (the main tester in Europe) compares products or services, the do that in roughly 4 steps:

  1. Description of the subject field in general, with the key expectations and state-of-the-art solutions, plus lessons learned from former tests. Rational why the subject field was limited to a certain range of products.
  2. Product by product textual review highlighting special features that would not be easily conveyed in a formally structured table.
  3. Structured comparison as a large table containing the relevant properties.
  4. A summary rating according to some predefined weighting scheme. It can also be used on packaged products to show the overall rating.

Assuming that a test would compare digital cameras, one could study the comparison in detail to come to informed decision, applying different weights to usability, durability, picture quality, zoom range etc. Or one could use the score

  • No labels