Anil talks about LoA for attributes in response to some of the discussion at the recent IDTrust at NIST. This discussion came up a couple of times before, and I seem to recall talking about this:
In the bigger picture “assigning” a LoA for attributes is pretty pretentious, especially when there is no clearly defined relationship between the certifier and the attribute consumer. The ultimate decision to release information lies with the logical custodian of that information (in OAuth: the resource owner, in XACML: the service provider). This decision authority may be delegated to PEPs, PDPs, or be exercised within a workflow.
As the decision authority now pulls in additional information from attribute providers, the environment, and other pertinent data sources, it (the decision authority) must make a determination whether to utilize and trust these sources or not.This determination will depend on a number of factors which ultimately result in the need to perform a risk assessment answering the question:
“If data source A is used for an access control decision, is the risk of making type 1 and/or type 2 mistakes acceptable for my use case?”
Obviously, this question can only ultimately by the logical data custodian, or its delegate. So instead of having an external entity assign a “Level of Assurance” to a particular attribute provider (or more general: a data source), attribute provider should make a set of metric available to potential consumers, so that they can make an informed risk decision. Among these metrics, I would think that the following list would be useful for access control decisions:
- Freshness – is the data up to date?
- Comprehensiveness – is the offered data sufficient to make a decision?
- Completeness – is the data available for all identities?
- Correctness – is the data accurate?
- Availability – will the attribute provider be available at all times, on all relevant networks?
- Operational soundness – are the business processes for the attribute provider sufficiently trustworthy to protect confidentiality, integrity, and availability of the data?
- Privacy/secrecy – is access to the data performed in a way that protects the data or the data consumer from unwanted disclosures?
- Accountability – is the data provider willing to accept responsibility for mistakes on their part?
- Arbitration – if something goes wrong, is there a binding arbitration process to determine responsibility?
There are probably many more, but this would be my shortlist.