Full Title or Meme
- Some means for assuring the Web Site Security is required. See that page for details.
- The rest of this page is about establishing a level of assurance for User Information about a User also known as a Subject.
- New version of SP 800-63-3 with Assurance separated out from the other Authentication Attributes.
- Provenance is a term that is sometimes used for the level of Assurance that a Data Controller has in the origin and reliability of User Attributes, especially health care data
- In contexts where names are not validated (of low Assurance) the problem arises that trolls many adopt the name of some well-known person to be able to make statements that falsely appear to be from the real person.
- See discussion on the pages for Ephemeral and Persistent.
- Most of the existing protocols, like OpenID Connect and SAML 2.0 support the older NIST SP 800-63-2 level of assurance ratings. These are also baked into RFC 6711 "An IANA Registry for Level of Assurance (LoA) Profiles" and ISO/IEC 291151.
A rather facile mapping of the NIST SP 800-63-3 levels of Assurance to the processes known today is:
- AAL1 ==> password
- AAL2 ==> 2FA
- AAL3 ==> U2F
- Synonyms include: Validated which typically is used with Assurance of claims, or Attested which typically is used with Assurance of User Devices.