On Fri, Aug 10, 2012 at 3:16 AM, jleleu <[email protected]> wrote: > Hi, > > After the discussion about LOA on this thread : > https://lists.wisc.edu/read/messages?id=18431743, I wrote the > specification for LOA. > > It's "done" here : > https://wiki.jasig.org/display/CAS/Level+Of+Assurance+Specification. > > I add new concepts or update existing ones, extend CAS protocol, describe > LOA algorithm, describe use cases and define a roadmap. > Everything is proposal of course. I did my best to design an easy > solution, fully extensible as well (nothing less ;-) > > I have two special TODO for Marvin (describe authentication API in CAS > server 4.0.0) and Nathan (add your "complex" use cases to see if it matches > my spec). > > I'm looking forward to your feedbacks. After that, I hope we can validate > the spec soon. > > Best regards, > Jérôme > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-dev >
I'd suggest giving a read of NIST 800-63 (particularly section 5.3 )( http://csrc.nist.gov/publications/nistpubs/800-63-1/SP-800-63-1.pdf), OMB M-04-04 ( http://www.whitehouse.gov/sites/default/files/omb/memoranda/fy04/m04-04.pdf), and the IncCommon Assurance Profiles ( http://www.incommon.org/docs/assurance/IAP_V1.1.pdf). I believe you have done a good job capturing the strength of each authentication mechanism, but that does not necessarily relate directly to LoA. Note also that LoA is multi-variable -- minimally, the strength of initial identity proofing and the strength of the authentication action are both inputs to the equation. So I'm not sure a simple numerical value is appropriate. So, CAS itself would need to either: 1: Use the proofing mechanism (from LDAP, etc) and the authentication mechanism to *compute* and serve the LoA to an RP. 2: Serve the proofing mechanism (from LDAP, etc) and the authentication mechasnim as two distinct attributes to the RP. Unless we can compute CAS LoA aligned with the above standards, I'd recommend #2 -- simply, deliver the proofing and authentication attributes (e.g., urn:org.jasig.cas.authentictor:x509 | urn:edu.uconn.authenticator:password | urn:og.example.identityproof:photoid)., and let RPs perform authorization on those. Just my $0.01, -Matt -- [email protected] PGP: E2144AD8 -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
