Define ACR values for credential and identity assertion
Issue #14
wontfix
RP's may want to request the OP to conduct the authentication process according to particular criterias (e.g. number of authentication factors). The MODRNA profile shall define a couple of reasonable ACR values related to the quality of the authentication process.
RP's may also want to request the OP to insure the asserted claim values meet certain criteries regarding the verification of the individual person conducting the authentication transaction. The MODRNA profile shall define a couple of reasonable ACR values related to the quality of the identity-related attributes.
Comments (7)
-
-
reporter
- marked as minor
-
reporter
- marked as major
-
reporter
Does it make sense to define ACR values for credential assertion first?
-
Feedback from workshop with GSMA: The format of the defined car_values should be either an URI (in conjunction with an IANA registration?) or a URL to allow resolving metadata information about the value
-
- changed status to open
- edited description
We specified acr_values for MODRNA Authentication. Can we mark this issue as resolved.
-
- changed status to wontfix
As long as we do not discuss identity assertion in particular there is no furter need for this issue.
- Log in to comment
Rationale :
authentication acr values should reference standard level of assurance definitions and explicitly request out of band multi factor authentication and attribute sharing. The LoA referenced delivered by the MODRNA OP are the LOAs as specified in ISO/IEC 29115 Clause 6 – 1, 2, 3, 4 – representing the LOAs of LOW, MEDIUM, HIGH and VERY HIGH.
The use of the context query parameter is optional but may be required by business rules for example for payment service providers.
For eSignature services, request should have distinct acr values and reference the eIDAS LoA definitions : low, substantial and high, coded LoA2, LoA3 and LoA4. The use of the context query parameter is optional but may be required by business rules. The use of the dtbs - data_to_be_signed - query parameter is optional but may be required by business rules. If only context parameter is present context will be signed. This enables "What You See Is What You Sign" use cases. If neither context nor dtbs are present, the empty string is signed.
MODRNA OP should provide precise description of the LoA reference use for each of the acr values.
Hence the proposed wording :
query parameter
acr_values
mobile_loa2 medium or assurance level 2 two factor authentication
mobile_loa3 high or assurance level 3 two factor authentication mobile_loa4 very high or assurance level 4 two factor authentication
mobile_sign_loa2 low or assurance level 2 two factor digital signature mobile_sign_loa3 substantial or assurance level 3 two factor digital signature mobile_sign_loa4 high or assurance level 4 two factor digital signature