Added Level of Assurance (LoA) section; fixes #151; fixes #391

[awoie]

As per @peacekeeper request, I tried to come up with a PR that covers LoAs; fixes #151

---

Preview | Diff

[peacekeeper]

This also addresses #391

[peacekeeper]

Thanks, I think this is a useful addition to the Security Considerations section that addresses #151 and #391 and will be relevant to some of the use cases. Maybe it would also be worth mentioning FIDO attestations? In any case, I'm fine with merging this (after applying @TallTed 's fixes).

[awoie]

Thanks, I think this is a useful addition to the Security Considerations section that addresses #151 and #391 and will be relevant to some of the use cases. Maybe it would also be worth mentioning FIDO attestations? In any case, I'm fine with merging this (after applying @TallTed 's fixes).

@peacekeeper I will add FIDO, FIDO 2 / WebAuthn etc. as examples for SCA. I could also add examples for NIST, ISO, eIDAS LoA frameworks if useful.

[TallTed]

(probably worth also adjusting title of this PR, espexcially typo assrance -> assurance,
but also level of assurance -> "Level of Assurance (LoA)")

[msporny]

Minor nits, otherwise LGTM, thanks @awoie! :)

[awoie]

I added some references to NIST, ISO, FIDO/Webauthn.

[peacekeeper]

Maybe @Oskar-van-Deventer also wants to review this, since his issue #151 was the original inspiration for addressing this topic in the spec.

[msporny]

This probably should also say that Verifiable Credentials are an appropriate way to convey this information as well. We can do this editorially or in a future PR.

[msporny]

Editorial, multiple reviews, changes requested and made, no objections, merging.

[peacekeeper]

+1 to merge