The National Institute of Standards and Technology (NIST) has a publication (800-63) that defines four Levels of Assurance for electronic authentication. There are ways to incorporate this notion into SAML but not user-centric identity models.
Wouldnt it make since for the Microsoft do define an element in the WS-SecurityPolicy document where a Relying Party (RP) could define what level of assurance it requires?
The Identity Provider (IDP) should be able to interpret the required security policies of the relying party in this regard and then require the user to use a credential that has been proofed to this level.
By not reducing these types of concerns down to a single attribute, it requires the relying party to have complex logic to derive this type of concern. Even then, it still requires lots of interactions in terms of legal agreements with identity providers whom will all have their own take on the problem.
Kim Cameron, Mike Jones and others could put this one down quickly...
