Just back from the most recent tf-emc2 meeting – in the most glamorous of european locations – and after a day of frantic gathering of papers for the UK federation Policy Board meeting next week, i had time to think back on one of my presentations to the group.
I’ve been asked to lead a REFEDS workpackage on assurance – looking at the best ways for european federations to deal with assurance issues, particularly in terms of identity assurance profiles.
The tf-emc2 group were kind enough to hear my initial thoughts on scoping out the problem area that REFEDS should be considering. I hope to scope these ideas up in to something more coherent in time for the TERENA Networking Conference in June. My slides from the meeting are here, and I would be interesting in opinions from people within the UK.
My talk focuses on three different types of assurance that I think we bundle up in to the term ‘levels of assurance’ without thinking about the application of these.
- Firstly, there is the assurance that a federation adds to metadata by acting as a trusted registrar and aggregator. It is an assertion made by the federation as registrar and not by the end-user or the organisation. It is one of things that we can consider when thinking about the differences between the federated approach and user-centric access and where greater trust can be placed in the assertions that are made.
- Secondly, I look at strength of authentication. This is a fairly straightforward area – but we are still looking for case studies in the UK where a stronger authentication level (rather than stronger assurance) may be required. Strength of authentication can be mapped to the concept of ‘levels’ that we talk about in assurance more clearly than the other types of assurance that are added.
- Finally, I looked at identity assurance profiles and posed the question – should federations be in the business of defining identity assurance profiles? I think probably not. Identity assurance profiles should be defined by the communities that use them…and the UK federation in itself represents a domain and not a community of practise. Identity assurance profiles are not necessarily levels as they can overlap and intertwine – perhaps more accurately described as layers of assurance?
One of the things I think I missed in my talk is the relationship of assurance to trust. According to wiktionary:
- assurance: the act of assuring; a declaration tending to inspire full confidence; that which is designed to give confidence.
- trust: confidence in or reliance on some person or quality.
So assurance creates trust, and the more assurance layers we add the greater the trust becomes. I think when considering trust federations we have tended to think about things that are trusted and things that are not. This picture creates a less black and white picture of the identity field: identity assurance can be added by the end-user, by an organisation as broker and through registration with trusted federations. We need to think about all of these layers as we build up a picture of assurance requirements in the european community.