Is LOA Unsuitable for the Dominant Pursuits of the Enterprise and their Customers?

Nick Ragouzis, Enosis Group, 19Apr09 (posted)

LOA descends from MAC and its Prohibit regimes; enterprise and individual needs descend from Share regimes. Whereas MAC is, at root, a scheme to restrict the flow of information, identity federation is, at root, a scheme to enable the flow of information. Years on this difference remains unreconciled; it is not the only serious difficulty.


A frequent collaborator, Lena Kannappan, founder and CEO of FuGen Solutions, will be the chair of an Identity Assurance panel at the upcoming, April 20-24, 2009, RSA conference. He asked:

Does the [OMB/NIST] definition of levels of assurance (LOA) translate across protocols and what are the future needs of interoperability across multiple disparate domains or inter-federation scenarios?

Good question, I thought. But I thought a different question might more clearly lay out the challenges:

How well suited are the underlying principles of LOA for the dominant pursuits of enterprises and their customers? Or, as well, for identity federation itself?

Here's my answer, well today's answer.

Mismatched Purpose

I take a running start at that question by assuming the enterprise's dominant pursuits concern the development of information, and its conversion to value. That conversion requires the widest-possible access in the broadest multiplicity of domains and contexts. (Keep in mind this pertains across the board: for example, as much to internal administrative information as to market intelligence and information about me, or you.)

As demonstrated repeatedly, it is exceedingly rare that the agents who could develop such information, or have developed and hold such information, are going to be those who maximize its value. Others, possibly initially unknown others, must become aware of, and finally access (and create mechanisms for leverage of), such information. For the most part, however, this implies access by current, future (new or renewed), customers and their agents. It is a bandwagon phenomonon [1], involving entities far removed (in linkage and profile) from the initial information resource.

For comparison we could name the underlying or informing principles at play here as "share unless," although it could be called "accept unless" or "release unless," etc, or just Share.

By comparison, however, LOA manifests principles we could name as "prohibit unless," or just Prohibit.

Now, the roots of this comparison lie in the origins of LOA: LOA can be seen as derived from the Mandatory Access Control (MAC) subclass of Lattice-based access control (LBAC). Skipping past a lot of assumed considerations, we can identify the kernel for the difference between the two sets of principles: MAC is, at root, a scheme to restrict the flow of information.

Logically, one can attempt to devine the object from its silhouette, so we might derive a Share regime from a Prohibit regime. But practice shows the result is likely to be frail and lacking essential characteristics. (Keeping in mind, of course, that such negated-negative approaches assume the applicability of the law of the excluded middle, and a complete description of the negative space, neither of which are true here.)

Moreover, the fatal flaw to the potent Share regime is the separation of duties assumed or expressed in the Prohibit regime: the differences in duties are not just anti-symmetric, they are (to name just a few confounding conditions) complex, multi-layered, dynamic, and context-sensitive.

Weakened Federation Interoperability

My view is that while some forms of interoperability can increase through LOA, the interoperability that's central to federation is significantly weakened. This is near fatal, as identity federation's core interaction patterns [2] are, at root, a scheme to enable the flow of information. The weakening derives from a related confusion in the difference between claims and assertions, and the role of the IdP in federation architectures. Simply put: In the federated identity architecture an IdP-like entity (with a cooperating SP) converts the grit of arbitrary claims into that grease for identity services called assertions -- which are, wrt the cooperating SP, unequivocal and absolute. Anything that subverts that balance also hinders federated identity.

Although LOA itself does not prefigure a pitiful result, it has been the rare implementer who avoids the pitfalls: SPs stood up without adding the vocabularies necessary for expressing extensible context or purpose, therefore ill-suited as cooperating entities with an IdP; narrowly-drawn IdPs that are not only highly domain-constrained, but also calcified wrt to pre-federation message types and exchange patterns and are therefore unqualified for cross-domain federation operations. The pattern here is that of the lowest common denominator: the obstinant and illiterate SP, the monosyllabic IdP -- a pattern for which LOA presents even less challenge, and less opportunity.

Mismatched Information Potentials

As a way into exploring this latter point, or the overall thesis, consider the distribution of "information potential" for an organization, mapped to the assurance level criteria in LOA.

An enterprise's largest potential for the development of information, by far, is, in LOA, found in the area between and within the lowest of LOA Level 1, excluding some aspects of Level 1, to as extreme as the weakest of LOA Level 2.

Now search your experience: wouldn't you expect a suitable language to have its most expressive power, the fattest of its semantics and constructs, just at the locus of the most potential? Yet LOA invests its richness in a sort of dungeons-and-dragons-like game of the ways to say pretty-please. LOA dramatically fails the language test.

I suggest that now, several years into this, and having experienced the contorting attempted adaptations of many organizations, we should just admit that LOA is not the same as the realm of identity federation or cross-domain identity-enabled services: it is just that small part related to restricted services. In trying to fit it as the over-arching schema for identity assurance, it offers only gymnastics and pain to enterprises, and reduced results to the dominant pursuit of an organization and its customers (or even a government, btw).

In my experience LOA's apparent simplicity easily seduces those happy to avoid the more arduous challenge of preparing their applications and infrastructure for the full (cross-domain) identity federation, then, not having the necessary infrastructure, they fail to realize enterprise-level strategic results.

Where LOA Cannot Serve

In reviewing "Identity Assurance Needs," it is common to include, and assume, identity federation and many aspects thereof. I wonder if it might also be useful to review the architectural fundamentals of identity federation. In identity federation architecture, identity is the organizing principle: it is realized not just as a noun, but as an active object. Identity is not constrained by or invented for, policy: identity exchange is an enabler.

The identity message (the assertion or equivalent statement made by an IdP per the requirements of an SP; not a claim) is the locus of application semantic enrichment. The exchange of identity messages serve to transmit and realize that semantic, and in the process crosses boundaries, translates, protects, hides, makes referrals, and bootstraps. Extensibility is key to both, the message and the exchange: from extensibility derives composability, dynamic configuration, deployment-time extensions, process instantiation, tractable regulation and governance, and a fluid working security and privacy.

These aspects, in turn, serve to enable those others, possibly initially unknown others, and their agents, to help an enterprise turn its information into value.

The LOA schema was not proposed to serve or enable these architectural fundamentals and the related aspects. Yet in proposing to ameliorate the difficulties of identity assurance, its direct and indirect effects have led to debasement of the operational and strategic essentials of identity federation.

What About The Original Question?

Considering, then, the purpose of identity assurance in the enterprise and with and among its customers, wrt current and future needs of interoperability across disparate domains, etc, I suggest, most succinctly: LOA has proven a simplification too far.


[1] IIW2005 Bandwagon Economics, The Necessary Ingredient for Success on the Identity Internet.

[2] Core Interaction Patterns of an Identity Federation Framework.

Of Interest

  • 20Apr09, Is LOA Unsuitable for the Dominant Pursuits of the Enterprise and their Customers?. Our frequent collaborator, Lena Kannappan, of FuGen Solutions, in preparing for chairing a panel at the upcoming RSA conference proposed this discussion question: Do the NIST/OMB LOA definitions translate to current and future needs of federation? My conclusion: LOA has shown itself to be a simplification too far. The reasons boil down to the contradictions between the Share principles guiding identify federation, and the Prohibit principles of LOA. Moreover, LOA offers thin expressive power just in the range where organizations and individuals derive their most value. As a closer, I consider how LOA undermines key design patterns of identity federation.
  • 19Apr09, Core Interaction Patterns of an Identity Federation Framework. An October 17, 2007, presentation for the Cyberinfrastructure Design Workshop of the Ocean Observatories Initiative, at UCSD La Jolla. Specialized for their domain model, briefly presents the two main patterns: the interaction pattern embodied in authn messages, which is the more potent and the source of semantic richness; and the interaction pattern embodied in exchanges of authn, which is more fully exploited, perhaps excessively so in compensation for a poorer understanding of the former pattern. Presents identity as an organizing principle. Touches on how IdP and SP, working together, convert the grit of arbitrary claims into the grease (viz assertions) of the Identity Internet. Offers a basis for understanding the sources of extensibility, and the purposes to which it might be applied. Includes notes.
  • 19Apr09, Privacy, a study in assiduity is a presentation used, initially, in my October, 2007, talk at Stanford's CS44 course: What Hath Google Wrought: Managing Information in the Information Age. It is a primer, with discussions of the asymmetries involved among the user, malefactors, advertisers, and others, drawing a comparison to the Dutch and the Carnarsee Indians. Touches on the expectations of and by users; and possible actions. Elaborates on my [Crack:Cry] metric for passwords and consequences. Includes notes.
  • 13Oct07, Why the Identity Internet? How is the Identity Internet a disruptive technology? What lessons are there in the design choices between world-ready TV-Anytime and the disasterous, cravenly anti-consumer, and US-centric ATSC program guide standards? Now available, the full version of the October, 2005, presentation: IIW2005 Bandwagon Economics, The Necessary Ingredient for Success on the Identity Internet (ppt). Also in more direct exposition Bandwagon Economics ... Identity Internet (pdf); more explanation, no pictures.
  • 13Oct07, The detailed Appendix A (plus Introduction, and overall Table of Contents) to the more detailed, earlier draft of the Versatile Interoperability Identity Internet in Europe (see below), giving the expanded version of the EU regulatory regime, Directives, Regulations, and other actions, which the work addresses or accommodates in its architecture and recommendations.
  • 22Aug06, A focused and much abbreviated version of the IIW2005 Bandwagon Economics, The Necessary Ingredient for Success on the Identity Internet: Identity in the Digital Age, an Introduction for Interaction Designers. In giving this talk I've found it doesn't entirely satisfy many, but it gets folks engaged. You will find introductory material on how digital identity is cast as a disruptive technology. It is also available in 'handout pdf'. Both forms are constructed just for browsing, not presentation.
  • 29May06, A Versatile Interoperable Identity Internet in Europe. TWIST Standards has released its whitepaper entitled Realizing SEPA Benefits: Corporate Requirements and Key Elements of the Business Solution. (13Oct07: That link is temporarily dead; here is a cached version: TWIST SEPA White Paper on Identity Internet in Europe.) Although it may not sound like it, this document lays out the ways in which identity is crucial for business success, and why business success is crucial for SEPA, for the EU privacy and identity project, and for it's people. It is a triumph of (someone else's) editing, taking among other contributions our detail on the identity infrastructure-related guidance in EU Directives and such, and the central part of our architecture for a Versatile Identity Infrastructure.
  • 12Apr06, Update to links and a minor addition (and typo correction) to prioritized federated identity specs reading list for technos just beginning designs based on FedId architectures.
  • 13Mar06, By-deployment details on SAML and Liberty Alliance adoption published by LAP. Dig into the segments to see 65 unique entries (unique-ish; sans repeats 18 are anon. But counting Exostar which was html-hidden). Not counting 29 addt'l IdM vendor items. Scan the remarkably dull press release. BTW, a generous SWAG from the numbers listed gave me 875 million, somewhat less than the touted 1 billion; that's still likely way high. Nonetheless, it's impressive.
  • 7Jan06: Updated on resources re 9Mar05 Standardization of the SAMLv2.0 specification. Check out the revised, updated SSTC page. SAMLv2.0 Executive Overview is the best, latest, updated executive overview of federated identity technology.