CILogon operates three Certification Authorities (CAs) with consistent operational and technical security controls. The CAs differ only in their procedures for subscriber authentication, identity validation, and naming. These differing procedures result in different Levels of Assurance (LOA) regarding the strength of the identity contained in the certificate. For this reason, relying parties may decide to accept certificates from only a subset of the CILogon CAs. The following table summarizes the LOA of each CA. For additional details, please refer to the CA policies.

CA	Registration Authorities	Certificate Subject Names	Identity Vetting	Accreditation
Silver	InCommon Federation members that qualify for the InCommon Silver identity assurance designation	authenticated organization name and subscriber's name (with unique serial string)	NIST SP 800-63 Level 2	IGTF MICS
Basic	InCommon Federation members	authenticated organization name and subscriber's name (with unique serial string)	varies	none
OpenID	OpenID Providers (Google, PayPal, VeriSign) certified at OIX US ICAM LOA 1	self-asserted subscriber's name (with unique serial string)	self-asserted identities	none

The top priority for the CILogon project is enabling secure access to cyberinfrastructure (CI) using campus credentials via the InCommon Federation. The nation's colleges and universities are natural identity providers for academic researchers, because of the strong relationships that researchers have with their campuses in their roles as faculty, staff, and students. Through the InCommon Identity Assurance program (currently under development), many researchers will be able to obtain a standards-compliant credential from their university that is recognized at Level of Assurance (LOA) "Level 2" according to the US Government ICAM Trust Framework. With this LOA 2 credential, researchers will be able to obtain a "CILogon Silver" certificate approved by the International Grid Trust Federation (IGTF) for use worldwide.

However, in some cases researchers will not be able to use CILogon via InCommon. For example, their home campus may not yet be an InCommon member, or they may not have an affiliation with a US university. Researchers in other countries may be able to obtain certificates via their national federation using services similar to CILogon, such as the TERENA Certificate Service in Europe, which is also approved by the IGTF.

Another option is to use OpenID with CILogon. Using accounts with Google, PayPal, or VeriSign, researchers can authenticate to CILogon via OpenID to obtain a "CILogon OpenID" certificate. While this type of certificate has a lower level of assurance, it is not without value. The Open Identity Exchange (OIX) is an approved LOA 1 provider under the ICAM Trust Framework, and OIX has in turn certified these OpenID providers (Google, PayPal, and VeriSign) at LOA 1. While LOA 1 provides no identity verification (unlike LOA 2 and above), it provides a basic strength of authentication for knowing that the person authenticating today is the same person who authenticated with the same identity yesterday. In many cases, this LOA is sufficient for access to CI (as determined by the CI provider).

CILogon supports both InCommon and OpenID authentication to enable wider access to CI. Depending on the type of authentication used, CILogon issues certificates from different Certification Authorities, which allows CI providers to know the LOA for a particular authentication and decide which LOAs to accept. To maintain a consistent LOA for "CILogon OpenID" certificates, the CILogon project accepts OpenID authentication only from those providers that are certified at LOA 1 (or above).