[Openid-specs-mobile-profile] level of assurance as acr_values in mobile profile

Connotte, Joerg j.connotte at telekom.de
Sun Feb 8 19:52:12 UTC 2015

Dear all,

I wanted to share some considerations we discussed about how to address the task of specify standard values for acr in the Mobile Profile.

Making a distinction between identity and credential of an entity:
The levels of assurance as defined in ISO29115 mix up the assurance about the identity of an entity and assurance about the credentials of an entity used during authentication.
However those two aspects of an entity are altogether different and basically independent of each other.

Identity of an entity is information about certain (personal) data of an entity. In case the entity in question is a real person examples for those are: given name, last name, birthday, address etc.
Thus assurance about identity concern itself with answers to the questions how well the information about this identity is validated. I other words how much effort was taken to ensure the correctness of the data. During authentication this information is not re-validated.

Credentials are secrets in possesion of and in some cases controlled by an entity which are used to validate an authentication. 
Typical credentials are username/password, mobile network, fingerprint etc. 
Assurance about credentials concerns itself with the trustworthiness of the mechanisms actually used to protect those credentials.

Assurance that an entity is the same over consecutive authentication processes can rely solely on the assurance of the protection of the credentials of this entity. It is not necessary to know anything about the identity of the entity.

It is theoretically possible to have a high level of assurance about the correctness of certain identity information about an entity without a high level of assurance about the correctness of the credentials of the same entity.
Moreover validating identity information about an entity may be difficult whereas providing a trustworthy set of credentials is relatively easy.

Proposition for Mobile Profile:
The definition of a separate set of acr values for 'credential assurance' and 'identity assurance' seems to be a useful thing to consider. For most use cases discussed in the Mobile Connect project secure authentication without exposing any identity data execpt a unique identifier is sufficient.

What do you think?

Kind Regards
Jörg Connotte	

Products & Innovation
Jörg Connotte
Customer Platforms
T-Online-Allee 1, 64295 Darmstadt
+49 6151 680-7288 (Tel.)
+49 151 184-15517 (Mobil)
E-Mail: j.connotte at telekom.de


You can find the obligatory information on www.telekom.com/compulsory-statement


More information about the Openid-specs-mobile-profile mailing list