With a wide range of identity assurance frameworks to choose from, the most appropriate choice of assurance profile for a use case (one that meets both the risk assessment and the social and community context in which the assurance is needed) may be viewed as confusing. The choice of Cappuccino or Espresso from the REFEDS Assurance Framework, Assam from the AARC social media assurance, Birch and Dogwood from the Interoperable Global Trust Federation, Silver and Bronze from InCommon, and Levels 1 through 4 from both Kantara and NIST SP800-63 – all of these merit a policy mapping and comparison framework. In this whitepaper, we identify the implicit trust assumptions (in research and collaboration frameworks, the R&E identity federations, general private sector frameworks and e-government schemes) and present a way of comparing these frameworks.
This whitepaper is a response to the request for a matrix showing the different assurance levels in the context of the AARC Guidelines and deliverables. The relashipships and comparison have now been published in the AARC white paper AARC-I050 Comparison Guide to Identity Assurance Mappings for Infrastructures
Background
Depending on the context there is a choice of assurance frameworks to choose from that may fit the use case at hand. Some are monolithic and present combinations of factors that have to be used together to reach a certain 'level'. Others decompose assurance in its constituent components (identifier assignment, vetting, freshness, and authenticator strength) and then construct assurance profiles that are tuned to a collaborative context.
This targeted activity aims to compare various modern assurance frameworks and reviews their applicability for research and collaboration infrastructures for research:
- REFEDS Assurance Framework (RAF) and the SFA and MFA profiles
- IGTF Generalised Assurance guidelines for infrastructures
- NIST SP800-63 version 3 (componentized)
- eIDAS European Government eID system
- Kantara Identity Assurance Framework
Assurance Comparison Leaflet
- Assurance comparison sheet (relationships based on REFEDS vetting elements) - also as VSDX source data
Meetings and events
- EUGridPMA 45, AARC NA3, and GN43 EnCo: https://www.eugridpma.org/meetings/2019-01/ ("Assurance Profiles - a suite of options")
- TIIME 2019 Vienna: Untangling Assurance Spaghetti (https://pad.vweb.dress-code.biz/p/tiime19untangling-assurance)