Versions Compared

Old Version 7

changes.mady.by.user Paul Caskey

Saved on

compared with

New Version 8

changes.mady.by.user bbellina@usc.edu

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Changes recommended at MACE-Dir Apr 21, May 5 mtgs

2.2.11. eduPersonAssurance
(defined in eduPerson 2008xx); OID: 1.3.6.1.4.1.5923.1.1.1.11 11

RFC 2252 4512 definition

( 1.3.6.1.4.1.5923.1.1.1.11 

...

Application utility class: extended_; # of values:_ multi  multi

Definition 

Set of URIs that assert compliance with specific standards for identity assurance. 

Notes  

This multi-valued attribute represents represents identity assurance profiles (IAPs), which are the set of standards that the set of standards that are met by an identity assertionan identity assertion, based on the Identity Provider's identity management processes, the type of authentication credential used, the strength of its binding, etc.   Examples of such standards are the NIST SP 800-63 levels of assurance, An example of such a standard is the InCommon Federation's bronze and silver proposed IAPs, etc. 

The URI should be clearly documented at the broadest possible level (nation, federation, state, university system, etc) and relying parties should be able to use the asserted value(s) to access official on-line documentation for the IAP(s).  

Those establishing values for this attribute should provide documentation explaining the semantics of the values.

As a multi-valued attribute, relying parties may receive multiple values and should ignore unrecognized values.Resource providers will only need to parse the collection of asserted attribute values and look for one that is trusted by the resource provider to determine the Identity Provider's asserted compliance with the standard.  In addition, the Resource Provider may need a mechanism to determine a given Identity Provider's qualification to assert specific values for eduPersonAssurance.  If needed, the proofing mechanism will be provided by the organization that developed the profile. 

The driving force behind the definition of this attribute has been the need for is to enable applications to understand the various strengths of different identity management systems and authentication events and the processes and procedures governing their operation and to be able to assess whether or not a given transaction meets the requirements for accessExamples:
eduPersonAssurance: urn:mace:incommon:IAQ:silver:sample
eduPersonAssurance: urn:mace:nih.gov:basic:sample
eduPersonAssurance: http://idm.example.org/LOA#sample 

Example applications for which this attribute would be useful:
Determining strength of asserted identity for on-line transactions, especially those involving more than minimal institutional risk resulting from errors in authentication.

A system supporting access to grants management in order to provide assurance for financial transactions.

Example (LDIF Fragment):
eduPersonAssurance: urn:mace:incommon:IAQ:silver:sample sample
eduPersonAssurance: http://idm.example.org/LOA#sample

Syntax: directoryString; Indexing: None recommended