Re: [plasma] Levels of assurance

Trevor Freeman <> Fri, 28 October 2011 17:24 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 3E49621F8514 for <>; Fri, 28 Oct 2011 10:24:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -110.849
X-Spam-Status: No, score=-110.849 tagged_above=-999 required=5 tests=[AWL=-0.250, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id wS4DZmXHhp+f for <>; Fri, 28 Oct 2011 10:24:31 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 898CD21F84B5 for <>; Fri, 28 Oct 2011 10:24:31 -0700 (PDT)
Received: from ( by ( with Microsoft SMTP Server (TLS) id; Fri, 28 Oct 2011 10:24:30 -0700
Received: from ( by ( with Microsoft SMTP Server (TLS) id; Fri, 28 Oct 2011 10:24:30 -0700
Received: from ([fe80::cc46:3da5:bed6:8dfc]) by ([fe80::d57f:521a:3ae6:c130%10]) with mapi id 14.02.0247.002; Fri, 28 Oct 2011 10:24:30 -0700
From: Trevor Freeman <>
To: "Fitch, Scott C" <>, "" <>
Thread-Topic: Levels of assurance
Thread-Index: AcyTRx6pnTp5VUnTRUe7DOXMw+3LyQCS+QNw
Date: Fri, 28 Oct 2011 17:24:29 +0000
Message-ID: <>
References: <>
In-Reply-To: <>
Accept-Language: en-GB, en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [plasma] Levels of assurance
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "The PoLicy Augmented S/Mime \(plasma\) bof discussion list." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 28 Oct 2011 17:24:32 -0000

I forgot to address the second part - general acceptability of LoA framework.

There are environments where they operate sometime by consensus rather than bilateral agreements e.g. healthcare. While Healthcare does has some bilateral agreements, there are so many potential relationships it is impractical to set up all you may need. The last thing you would want is for access to an out of town ER patients record to be blocked because if the lack of a bilateral agreement.  
Within any organization, there are ad-hoc communications which happen where you have not yet established a relationship. If you don't accept some form of LoA with basic policy, then those communications would be forced to be implicitly level 1. Equally if you organization is to against accepting a LoA, you could just use level 1 - which practically is the same thing.

I was not thinking we would map LoA scales. The challenge for Plasma is get consensus for a specific LoA scale that we could all adopt for basic policy.  It will likely be like UN treaty negotiation where nobody is relay happy with the outcome but it's something that you can live with. 


-----Original Message-----
From: [] On Behalf Of Fitch, Scott C
Sent: Tuesday, October 25, 2011 11:56 AM
Subject: [plasma] Levels of assurance

Is it necessary to require levels of assurance in the Basic Policy requirements? I definitely think it's appropriate for Advanced Policies. But I wonder whether including levels of assurance in Basic Policies will impede adoption.

Also, the fact that there are multiple LOA frameworks out there makes it difficult to meet the requirement to NOT require a priori bilateral agreements between the sender and recipient for Basic Policies. If the sender and recipient use different LOA scales, then some type of prior agreement must be in place to map the two scales. I don't think plasma wants to get into the business of creating a standard LOA mapping for interoperability.


plasma mailing list