Re: [plasma] Levels of assurance
Trevor Freeman <trevorf <at> exchange.microsoft.com>
2011-10-28 17:24:29 GMT
I forgot to address the second part - general acceptability of LoA framework.
There are environments where they operate sometime by consensus rather than bilateral agreements e.g.
healthcare. While Healthcare does has some bilateral agreements, there are so many potential
relationships it is impractical to set up all you may need. The last thing you would want is for access to an
out of town ER patients record to be blocked because if the lack of a bilateral agreement.
Within any organization, there are ad-hoc communications which happen where you have not yet established
a relationship. If you don't accept some form of LoA with basic policy, then those communications would be
forced to be implicitly level 1. Equally if you organization is to against accepting a LoA, you could just
use level 1 - which practically is the same thing.
I was not thinking we would map LoA scales. The challenge for Plasma is get consensus for a specific LoA scale
that we could all adopt for basic policy. It will likely be like UN treaty negotiation where nobody is relay
happy with the outcome but it's something that you can live with.
From: plasma-bounces <at> ietf.org [mailto:plasma-bounces <at> ietf.org] On Behalf Of Fitch, Scott C
Sent: Tuesday, October 25, 2011 11:56 AM
To: plasma <at> ietf.org
Subject: [plasma] Levels of assurance
Is it necessary to require levels of assurance in the Basic Policy requirements? I definitely think it's
appropriate for Advanced Policies. But I wonder whether including levels of assurance in Basic Policies
will impede adoption.
Also, the fact that there are multiple LOA frameworks out there makes it difficult to meet the requirement
to NOT require a priori bilateral agreements between the sender and recipient for Basic Policies. If the