From altermap at mail.nih.gov Mon Dec 3 13:00:13 2007 From: altermap at mail.nih.gov (Alterman, Peter (NIH/CIT) [E]) Date: Mon, 3 Dec 2007 16:00:13 -0500 Subject: [Sig-ia] Interest in Identity Assurance as it pertains toMulti-factor REGISTRATION In-Reply-To: <5564F7E2BF2B5B43A8407F0060044EC8045202E9@MSGMROCLR2WIN.DMN1.FMR.COM> References: <7B03492D640C0745B22C6DBF3A4042340646FF73@MDDP-EXCH-003.aeth.aetna.com><0JSA00BOFI6IS971@vms173001.mailsrvcs.net> <5564F7E2BF2B5B43A8407F0060044EC8045202E9@MSGMROCLR2WIN.DMN1.FMR.COM> Message-ID: <8C40DAAF38B0A84C9312702FA41930EA04804BA0@NIHCESMLBX3.nih.gov> Curiously interesting. This looks like two one-factor authentications instead of two factor authentication to me. And I dispute the math, no relevant modulo. The architecture looks like it could be very useful for validating authorities for attributes, though. ---------------------------------------------- Peter Alterman, Ph.D. Asst. CIO for EAuthentication, NIH and Chair, Federal PKI Policy Authority Cell: 301-252-8846 ________________________________ From: Popowycz, Alex [mailto:Alex.Popowycz at fmr.com] Sent: Friday, November 30, 2007 8:40 AM To: Bob Pinheiro; Coderre, Mark; sig-ia at lists.projectliberty.org Subject: Re: [Sig-ia] Interest in Identity Assurance as it pertains toMulti-factor REGISTRATION My read on the originating message was a bit different. To me the question revolved around compound authentication (a scenario described in detail within the Strong Authentication Expert Group and now in the Strong Authentication MRD developed within BMEG). In one scenario you rely on the authentication of a identity provider and combine that with the results of an authentication of a second identity provider (which could be the originating relying party) in effect creating a federated/distributed multi-factor authentication. I over simplified this from an additive authentication perspective because the underlying provisioning mechanisms may result in an answer that a mathematically nonsensical but logically relevant equation of 1+1=1.5. I would suggest reviewing the current strong auth mrd and look at foundational scenario 2 (the version I was looking at would have it as section 3.2). Alex ________________________________ From: sig-ia-bounces at lists.projectliberty.org [mailto:sig-ia-bounces at lists.projectliberty.org] On Behalf Of Bob Pinheiro Sent: Thursday, November 29, 2007 5:58 PM To: Coderre, Mark; sig-ia at lists.projectliberty.org Subject: Re: [Sig-ia] Interest in Identity Assurance as it pertains to Multi-factor REGISTRATION I'm not sure I understand your question completely, but I think the basic idea is that you, as a relying party, would first need to decide whether you trust identity assertions received from identity providers that you can verify as being accredited by the Liberty IAF. Secondly, you would need to decide how much assurance you require of the identity assertion received. So if you need to be very certain of the identity claim you are trying to authenticate, you may only choose to trust an identity assertion if you can verify that the accredited identity provider has issued the assertion at Assurance Level 3 or 4. When you say that you only have level 1 assurance of an identity assertion, to me that might indicate two possible situations. Depending on how the business rules are defined between relying parties and identity providers, it may or may not be true that identity providers expect to receive some compensation for providing an identity assertion to a relying party. If so, it's likely that an assertion at level 4 would be worth more than an assertion at level 1. So maybe you have agreed only to pay for level 1 assertions, but not level 2 or higher assertions. In that case, the identity provider may issue a level 1 identity assertion to you, but not a level 2 or higher assertion. On the other hand, even if you are willing to pay for assertions at a higher assurance level, the identity provider may only be operating at level 1. If you need level 2 assurance for a particular identity assertion, and are willing to pay a higher price, you would then have to find another identity provider who can authenticate the claimed identity and provide an assertion at level 2. I don't think many scenarios that address the possible business arrangements between relying parties and identity providers have been worked out. But I would expect that a relying party would *not* need a specific business arrangement with each Liberty accredited identity provider if both are members of some (possibly different) federation(s). Seems like the relying party and the identity provider would need an agreement with the federation each is part of. If they are members of different federations, there would be inter-federation agreements that would govern payments and other trust arrangements between federations. I'm assuming here that the basic business model for IAF is that identity providers would derive some revenue from relying parties for providing identity assertions. I don't know any of this for sure, or if there are other models, but this seems like a rational approach. Maybe others might have a better understanding of these business issues. Bob Pinheiro At 01:33 PM 11/29/2007, Coderre, Mark wrote: Content-class: urn:content-classes:message Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C832B6.47AC42A5" I am interested in the group's thoughts around combating registration fraud by leveraging partnered certified credentialing authorities to raise the assurance level of provisioned accounts. What may be a level 1 to me (alone) could become level 2 with validation from a ca that has a more authoritative reference. The same could be true of identities I can validate very strongly but others may not. I am interested in this within the healthcare industry (pharmacies especially) as well as financial since there are health/wealth synergies in the consumer product space. Mark Coderre Security Architecture Lead AIS Enterprise Architecture 860-636-2440 This e-mail may contain confidential or privileged information. If you think you have received this e-mail in error, please advise the sender by reply e-mail and then delete this e-mail immediately. Thank you. Aetna _______________________________________________ Sig-ia mailing list Sig-ia at lists.projectliberty.org http://lists.projectliberty.org/mailman/listinfo/sig-ia_lists.projectlib erty.org -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.projectliberty.org/pipermail/sig-ia_lists.projectliberty.org/attachments/20071203/eebcf0ed/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/jpeg Size: 21903 bytes Desc: image001.jpg Url : http://lists.projectliberty.org/pipermail/sig-ia_lists.projectliberty.org/attachments/20071203/eebcf0ed/attachment-0001.jpe From CoderreM at aetna.com Sun Dec 9 11:11:29 2007 From: CoderreM at aetna.com (Coderre, Mark) Date: Sun, 9 Dec 2007 14:11:29 -0500 Subject: [Sig-ia] Associations to I3P? Message-ID: <051601c83a97$4f9e9353$278245a7@aeth.aetna.com> What associations are in place with the I3P? Mark Coderre Security Architect Manager AIS Enterprise Architecture 860-636-2440 This e-mail may contain confidential or privileged information. If you think you have received this e-mail in error, please advise the sender by reply e-mail and then delete this e-mail immediately. Thank you. Aetna From brett at projectliberty.org Mon Dec 10 10:02:18 2007 From: brett at projectliberty.org (Brett McDowell) Date: Mon, 10 Dec 2007 13:02:18 -0500 Subject: [Sig-ia] Associations to I3P? In-Reply-To: <051601c83a97$4f9e9353$278245a7@aeth.aetna.com> References: <051601c83a97$4f9e9353$278245a7@aeth.aetna.com> Message-ID: <61639FF9-F0D9-455C-9E08-D3D5CB189E15@projectliberty.org> If you are referring to this I3P (http://www.thei3p.org/) we do not have a formal relationship with them. Do you work with them? Do you think we should have a relationship with them (and if yes, to what ends... what would be the nature of our joint work plan)? On Dec 9, 2007, at 2:11 PM, Coderre, Mark wrote: > What associations are in place with the I3P? > > Mark Coderre > Security Architect Manager > AIS Enterprise Architecture > 860-636-2440 > This e-mail may contain confidential or privileged information. If > you think you have received this e-mail in error, please advise the > sender by reply e-mail and then delete this e-mail immediately. > Thank you. Aetna > > _______________________________________________ > Sig-ia mailing list > Sig-ia at lists.projectliberty.org > http://lists.projectliberty.org/mailman/listinfo/sig-ia_lists.projectliberty.org