Is expressing Levels enough for LoA2+?

Nat Sakimura writes  that Level of Assurance 2 is not good enough to the Relying Party, because the RP cannot assess the risk associated with the particular authentication. A form of explicit liability should be added to enable automated hence scalable contract negotiation possible. 

I agree to the idea of a liability limit, but with some consideration:

  1. Most applications at LoA 2 will not need this, because the do not need formal risk analysis. It is good enough if the IdP provides same or better operational controls that the RP would afford itself.
  2. A liability limit should orient itself at legal contracts such as registered letters or parcels. Mathematical models are not easily understood by business and legal staff who is responsible for applications.