Re: [plasma] Levels of assurance

Leif Johansson <> Wed, 26 October 2011 07:37 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 8700F21F8AAF for <>; Wed, 26 Oct 2011 00:37:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id jBzOnRVmgMSo for <>; Wed, 26 Oct 2011 00:37:35 -0700 (PDT)
Received: from ( [IPv6:2001:948:4:1::66]) by (Postfix) with ESMTP id A968621F8AAA for <>; Wed, 26 Oct 2011 00:37:31 -0700 (PDT)
Received: from [] ([]) (authenticated bits=0) by (8.14.3/8.14.3) with ESMTP id p9Q7bQYR004231 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <>; Wed, 26 Oct 2011 09:37:29 +0200 (CEST)
Message-ID: <>
Date: Wed, 26 Oct 2011 09:37:26 +0200
From: Leif Johansson <>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv: Gecko/20110922 Lightning/1.0b2 Thunderbird/3.1.15
MIME-Version: 1.0
References: <>
In-Reply-To: <>
X-Enigmail-Version: 1.1.1
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: [plasma] Levels of assurance
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "The PoLicy Augmented S/Mime \(plasma\) bof discussion list." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 26 Oct 2011 07:37:35 -0000

Hash: SHA1

On 10/25/2011 08:56 PM, Fitch, Scott C wrote:
> Is it necessary to require levels of assurance in the Basic Policy requirements? I definitely think it's appropriate for Advanced Policies. But I wonder whether including levels of assurance in Basic Policies will impede adoption.
> Also, the fact that there are multiple LOA frameworks out there makes it difficult to meet the requirement to NOT require a priori bilateral agreements between the sender and recipient for Basic Policies. If the sender and recipient use different LOA scales, then some type of prior agreement must be in place to map the two scales. I don't think plasma wants to get into the business of creating a standard LOA mapping for interoperability.

Supporting multiple LOA frameworks is partly a technical issue and
partly a policy issue. The technical issue is that we need a way to
communicate LOA per transaction.

In SAML WebSSO there are technical controls (AuthenticationContext)
for communicating LOA [1]


	Cheers Leif
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla -