Levels of Assurance

CILogon operates multiple Certification Authorities (CAs) with consistent operational and technical security controls. The CAs differ only in their procedures for subscriber authentication, identity validation, and naming. These differing procedures result in different Levels of Assurance (LOA) regarding the strength of the identity contained in the certificate. For this reason, relying parties may decide to accept certificates from only a subset of the CILogon CAs. The following table summarizes the LOA of each CA. For additional details, please refer to the CA policies.

CA Registration Authorities Certificate Subject Names Identity Vetting Accreditation
Silver InCommon Federation members that qualify for the InCommon Silver identity assurance designation authenticated organization name and subscriber's name (with unique serial string) NIST SP 800-63 Level 2 IGTF MICS
Basic InCommon Federation members authenticated organization name and subscriber's name (with unique serial string) varies IGTF IOTA
OpenID OpenID Provider(s) (Google)
self-asserted subscriber's name (with unique serial string) self-asserted identities none
OSGOpen Science Grid approved registration authorities (https://idmanager.opensciencegrid.org/)  user and host names validated by OSG registration authoritiesIGTF ClassicIGTF Classic

The top priority for the CILogon project is enabling secure access to cyberinfrastructure (CI) using campus credentials via the InCommon Federation. The nation's colleges and universities are natural identity providers for academic researchers, because of the strong relationships that researchers have with their campuses in their roles as faculty, staff, and students. Through the InCommon Identity Assurance program, researchers are able to obtain a standards-compliant credential from their university that is recognized at Level of Assurance (LOA) "Level 2" according to the US Government ICAM Trust Framework. With this LOA 2 credential, researchers can obtain a "CILogon Silver" certificate approved by the International Grid Trust Federation (IGTF) for use worldwide.

However, in some cases researchers will not be able to use CILogon via InCommon. For example, their home campus may not yet be an InCommon member, or they may not have an affiliation with a US university. Researchers in other countries may be able to obtain certificates via their national federation using services similar to CILogon, such as the TERENA Certificate Service in Europe, which is also approved by the IGTF.

Another option is to use OpenID with CILogon. Using their Google account, researchers can authenticate to CILogon via OpenID to obtain a "CILogon OpenID" certificate. While this type of certificate has a lower level of assurance, it is not without value. It provides a basic strength of authentication for knowing that the person authenticating today is the same person who authenticated with the same identity yesterday. In many cases, this LOA is sufficient for access to CI (as determined by the CI provider).

CILogon supports both InCommon and OpenID authentication to enable wider access to CI. Depending on the type of authentication used, CILogon issues certificates from different Certification Authorities, which allows CI providers to know the LOA for a particular authentication and decide which LOAs to accept.