Jump to content

Identity Assurance Framework: Difference between revisions

Add links
From Wikipedia, the free encyclopedia
Browse history interactively
← Previous editNext edit →
Content deleted Content added
VisualWikitext
No edit summary
Line 8: Line 8:
Identity assurance specifically refers to the degree of certainty that an identity assertion made by an Identity Provider to a Relying Party about some person, actually refers to the person who made a claim of identity by presenting an identity credential to the Relying Party. In order to issue this assertion, the Identity Provider must first determine whether or not the claimant possesses and controls an appropriate token, using a predefined authentication protocol. Depending on the outcome of this authentication procedure, the assertion returned to the Relying Party by the Identity Provider allows the Relying Party to decide whether or not to trust that the identity associated with the credential actually "belongs" to the person presenting the credential.
Identity assurance specifically refers to the degree of certainty that an identity assertion made by an Identity Provider to a Relying Party about some person, actually refers to the person who made a claim of identity by presenting an identity credential to the Relying Party. In order to issue this assertion, the Identity Provider must first determine whether or not the claimant possesses and controls an appropriate token, using a predefined authentication protocol. Depending on the outcome of this authentication procedure, the assertion returned to the Relying Party by the Identity Provider allows the Relying Party to decide whether or not to trust that the identity associated with the credential actually "belongs" to the person presenting the credential.


The degree of certainty that a Relying Party can have about the true identity of someone presenting an identity credential, after receiving an identity assertion from an Identity Provider, is what is referred to as the "Assurance Level". Assurance Levels (ALs) are determined by the kinds of technologies, processes, and policies associated with the credentials, tokens, and authentication procedures. The [http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf U.S. National Institute of Standards and Technology (NIST) Special Publication 800-63 version 1.0.1 (NIST800-63)] outlines four (4) levels of assurance, ranging in confidence level from low to very high. The level of assurance provided is measured by the strength and rigor of the identity proofing process, the strength of the token used to authenticate the identity claim, and the management processes the Identity Provider applies to it. These four Assurance Levels have been adopted by the U.K. government, the Government of Canada and the U.S. Federal Government for categorizing electronic identity trust levels for providing electronic government services. These Assurance Levels are also recognized and referenced in the Liberty Alliance [http://www.projectliberty.org/liberty/content/download/4315/28869/file/liberty-identity-assurance-framework-v1.1.pdf Identity Assurance Framework].
The degree of certainty that a Relying Party can have about the true identity of someone presenting an identity credential, after receiving an identity assertion from an Identity Provider, is what is referred to as the "Assurance Level". Assurance Levels (ALs) are determined by the kinds of technologies, processes, and policies associated with the credentials, tokens, and authentication procedures. The [http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf U.S. National Institute of Standards and Technology (NIST) Special Publication 800-63 version 1.0.1 (NIST800-63)] outlines four (4) levels of assurance, ranging in confidence level from low to very high. The level of assurance provided is measured by the strength and rigor of the identity proofing process, the strength of the token used to authenticate the identity claim, and the management processes the Identity Provider applies to it. These four Assurance Levels have been adopted by the U.K. government, the Government of Canada and the U.S. Federal Government for categorizing electronic identity trust levels for providing electronic government services. These Assurance Levels are also recognized and referenced in the Kantara Initiative [http://kantarainitiative.org/confluence/display/idassurance/WG+Approved+Specifications Identity Assurance Framework].


==Purpose==
==Purpose==

Revision as of 17:38, 1 February 2010

Kantara Initiative's Identity Assurance Framework (IAF), which is based on former Liberty Alliance's Identity Assurance Framework (IAF), provides a means to allow Identity Providers (IdPs), Relying Parties (RPs) and subscribers to determine the degree of certainty that the identity of an entity presenting an electronic identity credential is truly represented by the presented credential. This degree of certainty is represented by a commonly agreed-upon "level of assurance." The IAF specifies the checks that IdPs carry out on entities, the way IdPs run their services, how the IdPs are audited to ensure they are operating their services in conformance with their proclaimed level(s) of assurance and the stated terms of service.

Identity Assurance

Identity assurance, in an online context, is the ability of a Relying Party to determine, with some level of certainty, that a claim to a particular identity made by some entity can be trusted to actually be the claimant's "true" identity. Identity claims are made by presenting an identity credential to the Relying Party. In the case where the entity is a person, this credential may take several forms, including: (a) personally identifiable information such as name, address, birthdate, etc.; (b) an identity proxy such a username, loginID, or email address; and (c) an X.509 digital certificate.

Identity assurance specifically refers to the degree of certainty that an identity assertion made by an Identity Provider to a Relying Party about some person, actually refers to the person who made a claim of identity by presenting an identity credential to the Relying Party. In order to issue this assertion, the Identity Provider must first determine whether or not the claimant possesses and controls an appropriate token, using a predefined authentication protocol. Depending on the outcome of this authentication procedure, the assertion returned to the Relying Party by the Identity Provider allows the Relying Party to decide whether or not to trust that the identity associated with the credential actually "belongs" to the person presenting the credential.

The degree of certainty that a Relying Party can have about the true identity of someone presenting an identity credential, after receiving an identity assertion from an Identity Provider, is what is referred to as the "Assurance Level". Assurance Levels (ALs) are determined by the kinds of technologies, processes, and policies associated with the credentials, tokens, and authentication procedures. The U.S. National Institute of Standards and Technology (NIST) Special Publication 800-63 version 1.0.1 (NIST800-63) outlines four (4) levels of assurance, ranging in confidence level from low to very high. The level of assurance provided is measured by the strength and rigor of the identity proofing process, the strength of the token used to authenticate the identity claim, and the management processes the Identity Provider applies to it. These four Assurance Levels have been adopted by the U.K. government, the Government of Canada and the U.S. Federal Government for categorizing electronic identity trust levels for providing electronic government services. These Assurance Levels are also recognized and referenced in the Kantara Initiative Identity Assurance Framework.

Purpose

In order to conduct business in an online world, entities need to be able to identify themselves remotely and reliably. In most cases, however, it is not sufficient for the typical electronic credential (usually a basic userID/password pair or a digital certificate) to simply make the assertion that "I am who I say I am - believe me." A relying party (RP) needs to be able to know to some degree of certainty that the presented electronic identity credential truly represents the individual presenting the credential. In the case of self-issued credentials, this isn't possible. However, most electronic identity credentials are issued by identity providers (IdPs): the workplace network administrator, a social networking service, an online game administrator, a government entity, or a Trusted Third Party that sells digital certificates. Most people have multiple credentials from multiple providers. Four separate audiences are affected by the transaction---and the inherent trust therein:

  1. Users of electronic identity credentials,
  2. Entities that rely upon the credentials issued by electronic identity providers (IdP),
  3. Providers of IdP services and auditors or assessors who review the business processes of IdPs, and
  4. Relying Parties (RPs) who must trust electronic identity credentials provided by IdPs

Different IdPs follow different policies and procedures for issuing electronic identity credentials. In the business world, and especially in government, the more trustworthy the credential, the more stringent the rules governing identity proofing, credential management and the kind of credentials issued. But while different IdPs follow their own rules, more and more end users (often called subscribers) and online services (often called relying parties) wish to trust existing credentials and not issue yet another set of userID/passwords or other credentials for use to access one service. This is where the concept of Federated Identity becomes important. Federated Identity provides IdPs and relying parties with a common set of identity trust conventions that transcend individual identity service providers, users, or networks, so that a relying party will know it can trust a credential issued by IdP 'A' at a level of assurance comparable to a common standard, which will also be agreed upon by IdPs 'B,' 'C,' and 'D.' Several presentations on the application of the Identity Assurance Framework have been given by various organizations, including Wells Fargo and Fidelity Investments, and case studies about Aetna and Citigroup are also available.

History

The Identity Assurance Framework is based, in part, on the Electronic Authentication Partnership Trust Framework and the US E-Authentication Federation Credential Assessment Framework, initiatives designed for the sole purpose of enabling interoperability among electronic authentication systems. As such, it attempts to define a trust framework around the quality of claims issued by an IdP based on language, business rules, assessment criteria and certifications. The work began within the Liberty Alliance in early 2007, and the first public draft was published in November 2007, with version 1.1 released in June 2008. Work is ongoing within the Liberty Alliance. The Identity Assurance Expert Group within Liberty Alliance is also working collaboratively on identity assurance with the ITU-T (via the ITU-T SG17Q6 Correspondence Group on X.EAA on harmonization and international standardization of the Identity Assurance Framework---work commenced Sept. 2008); ISOC (ISO SC27 29115 Harmonization with Identity Assurance Framework, among other contributions); and the American Bar Association (collaboration to develop a model trade agreement for federated identity).

Contents

The IAF is a standardized approach that defines processes and procedures for IdPs, relying parties and Federation Operators to trust each others' credentials at known levels of assurance. The main components of the IAF are:

  1. Assurance Level Criteria
  2. Service and Credential Assessment Criteria
  3. Accreditation and Certification Model, and
  4. Associated Business Rules.

Assurance Level Criteria

Assurance Levels (ALs) are the levels of trust associated with a credential as measured by the associated technology, processes, and policy and practice statements. The IAF defers to the guidance provided by the U.S. National Institute of Standards and Technology (NIST) Special Publication 800-63 version 1.0.1 (NIST800-63) which outlines four (4) levels of assurance, ranging in confidence level from low to very high. The level of assurance provided is measured by the strength and rigor of the identity proofing process, the credential's strength, and the management processes the service provider applies to it. The IAF then goes on to describe the service assessment criteria at each AL for electronic trust services providing credential management services. The IAF has published a standard set of assurance levels regarding the authentication of the user (Level 1 means low assurance, Level 2 means medium assurance, and so on. As of today, there are 4 levels of assurance based on the NIST-standard levels of assurance, with Level 4 being the highest level). When a digital token is issued, it states the level of assurance at which the user was authenticated - Level 1 through Level 4. For example, one issuer may have used a RSA SecurID token in combination with Username-Password to issue a Level 2 token, while a second issuer may have used a biometric challenge in addition to a UserID-PIN to issue a Level 2 token. The RP receiving the token from both issuers simply knows that both tokens are Level 2, and doesn't know/need to know what the actual mechanics were, simply that an audit process certified that the mechanism for generating the token meets the criteria laid out by Liberty IAF.

On the relying party side, these same four Assurance Levels map to increasing levels of risk from hacking, data/identity theft, etc. In this way, Assurance Levels equate increased risk of harm to increased trust in the identities of the transaction participants.

The four Assurance Levels have been adopted by the U.K. government, the Government of Canada and the U.S. Federal Government for categorizing electronic identity trust levels for providing electronic government services.

Service and Credential Assessment Criteria

The Service and Credential Assessment Criteria section establishes baseline criteria for organizational conformity, identity proofing services, credential strength, and credential management services against which all Credential Service Providers (CSPs) will be evaluated. The IAF also establishes a protocol for publishing updates, as needed, to account for technological advances and preferred practice and policy updates.

These criteria set out the requirements that services and their providers must meet at all assurance levels within the Framework in order to receive Liberty accreditation. These criteria address increasingly strict requirements for the general business and organizational operations of services and their providers, increasingly stringent requirements for identity proofing services, and increasingly strict requirements of credential management services and their providers.

CSPs can determine the AL at which their services might qualify by evaluating their overall business processes and technical mechanisms against the Service Assessment Criteria. The Service Assessment Criteria within each AL are the basis for assessing and approving electronic trust services.

Accreditation and Certification Model

The IAF uses a phased approach to establish criteria for certification and accreditation, initially focusing on Credential Service Providers (CSPs) and the accreditation of those who will assess and evaluate them. The goal of this phased approach is to initially provide federations and Federation Operators with the means to certify their members for the benefit of inter-federation and streamlining the certification process for the industry. It is anticipated that follow-on phases will target the development of criteria for certification of federations, themselves, as well as Best Practices guidelines for relying parties.

The Framework lists the requirements that assessors must have in order to perform assessments or audits for Liberty accreditation and it lists the rules and requirements for the actual assessments.

Business RulesSignatories to these business rules agree that they govern the use and validation of Liberty Alliance IAF certified credentials, the certification of such credentials and the accreditation of those who assess issuers of such credentials.

The Business Rules section of the IAF identifies: how CSPs and relying parties can participate in or be bound by the rules; what the roles and obligations are of the various parties to the rules, i.e. the Liberty Identity Assurance Expert Group (IAEG), CSPs, relying parties and assessors; the means of enforcement of and recourse under the rules; and, the general terms of the rules (including Governing Law, severability etc.).

Key terms

  • AL: Assurance Level--- the levels of trust associated with a credential as measured by the associated technology, processes, and policy and practice statements
  • CSP: Credential Service Provider: a third party entity that authenticates identities for RPs
  • IdP: Identity Provider---the entity that issues an identity credential, for example a the workplace network administrator, a social networking service, an online game administrator, a government entity
  • RP: Relying Party---that entity that needs to be able to know to some degree that the presented electronic identity credential truly represents the individual named in the credential

References

[CAF] Louden, Chris; Spenser, Judy; Burr, Bill; Hawkins, Kevin; Temoshok, David; Cornell, John; Wilsher, Richard G.; Timchak, Steve; Sill, Stephen; Silver, Dave; Harrison, Von; eds., "E-Authentication Credential Assessment Framework (CAF)," E-Authentication Initiative, Version 2.0.0 (March 16, 2005).
http://www.cio.gov/eauthentication/documents/CAF.pdf

[CABForum] See the CA/Browser Forum website at http://www.cabforum.org/. 8[EAPTrustFramework] "Electronic Authentication Partnership Trust Framework" Electronic Authentication Partnership, Version 1.0. (January 6, 2005)
http://eap.projectliberty.org/docs/Trust_Framework_010605_final.pdf

[NIST800-63] U.S. National Institute of Standards and Technology (NIST) "Special Publication 800-63" version 1.0.2
http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf

Retrieved from "https://en.wikipedia.org/w/index.php?title=Identity_Assurance_Framework&oldid=341306727"