Comments on: Leveraging Varying Level of Assurance http://nosheep.net/story/leveraging-varying-level-of-assurance/ Comic book guy, tech geek, and father of two... Thu, 09 Feb 2012 02:58:30 +0000 hourly 1 http://wordpress.org/?v=3.1 By: zbtirrell http://nosheep.net/story/leveraging-varying-level-of-assurance/comment-page-1/#comment-1370 zbtirrell Fri, 10 Mar 2006 01:51:49 +0000 http://nosheep.net/story/leveraging-varying-level-of-assurance/#comment-1370 It is also important to note how much people always want us to increase the timeout. In an all or nothing situation, as you put it, making a change like that is a huge sacrifice in security. Even now they way we have it, 60 minutes, it's probably a bit to long for a lot of the apps I'd put in Level 4. It is also important to note how much people always want us to increase the timeout. In an all or nothing situation, as you put it, making a change like that is a huge sacrifice in security. Even now they way we have it, 60 minutes, it’s probably a bit to long for a lot of the apps I’d put in Level 4.

]]> By: Jon http://nosheep.net/story/leveraging-varying-level-of-assurance/comment-page-1/#comment-1369 Jon Fri, 10 Mar 2006 01:30:27 +0000 http://nosheep.net/story/leveraging-varying-level-of-assurance/#comment-1369 It makes sense to have the broadest level (lowest LOA) to be 0. That makes it more clear. There will be many people who will see this as making things <em>less secure</em> but I think it's important to notice how this makes things <strong>more secure</strong>. In an all-or-nothing security paradigm, if you just want to check your "cartoon of the day" you must log in. If you walk away leaving yourself logged in you have exposed <em>all</em> your access. Alternately, if your "cartoon of the day" is considered a Level 1 service, you can look at your cartoon and walk away without logging out you have only exposed a very basic level of access. Every time we add another service to our portal we have this consideration, so we warn people, keep timeouts low, and take the complaints. It makes sense to have the broadest level (lowest LOA) to be 0. That makes it more clear.

There will be many people who will see this as making things less secure but I think it’s important to notice how this makes things more secure.

In an all-or-nothing security paradigm, if you just want to check your “cartoon of the day” you must log in. If you walk away leaving yourself logged in you have exposed all your access.

Alternately, if your “cartoon of the day” is considered a Level 1 service, you can look at your cartoon and walk away without logging out you have only exposed a very basic level of access.

Every time we add another service to our portal we have this consideration, so we warn people, keep timeouts low, and take the complaints.

]]>