Assurance is usually discussed within the framework described by NIST 800-63, a combination of technical and procedural metrics around the vetting of an identity, the issuance of credentials for authentication, and the act of authentication itself. It is unclear to what degree this notion is well-understood outside of the government sector, and when it is relevant, how well the definitions align across sectors.
Ultimately this topic is about risk management, with federated identity adding elements of risk that some applications may feel the need to quantify or limit.
- Definitions/Common Understanding
- Assurance "Regimes" (e.g., IC Silver, Grids, ICAM, Kantara)
- Scope/Limitations
- What is "identity" in this context?
- What attributes are assured?
- What about attributes that aren't?
- Technical Representations in Common Use
- Multi-LOA applications?