Difference between revisions of "Identity Proofing"
From MgmtWiki
(Created page with "==Full Title or Meme== Discovery of the level of trust that can be afforded a claim of an Identifier or Attribute. ==Context== * Some means for assuring the Web Sit...") |
|||
| Line 1: | Line 1: | ||
==Full Title or Meme== | ==Full Title or Meme== | ||
| − | Discovery of the level of trust that can be afforded a claim of an [[Identifier]] or [[Attribute]]. | + | Discovery of the level of trust ([[Assurance]]) that can be afforded a claim of an [[Identifier]] or [[Attribute]]. |
==Context== | ==Context== | ||
| Line 17: | Line 17: | ||
==Solutions== | ==Solutions== | ||
* The best source of [[Truth]] about an [[Identity]] is obtained by documentation of the [[Identity Proofing]] process. That is something that can be audited to measure reality against expectations. | * The best source of [[Truth]] about an [[Identity]] is obtained by documentation of the [[Identity Proofing]] process. That is something that can be audited to measure reality against expectations. | ||
| − | * [[]] | + | * When the [[Identity Proofing]] proceeds in steps, then their is a prior level of [[Assurance]] that is step-wise augmented as each new level of proofing is performed. This step-wise process of augmenting the level of is referred to as [[Bayesian Identity Proofing]] which is further defined on that wiki page. |
| + | |||
==References== | ==References== | ||
Revision as of 11:06, 4 January 2019
Full Title or Meme
Discovery of the level of trust (Assurance) that can be afforded a claim of an Identifier or Attribute.
Context
- Some means for assuring the Web Site Security is required. See that page for details.
- The rest of this page is about establishing a level of assurance for User Information about a User also known as a Subject.
- New version of SP 800-63-3 with Assurance separated out from the other Authentication Attributes.
- Provenance is a term that is sometimes used for the level of Assurance that a Data Controller has in the origin and reliability of User Attributes, especially health care data
Problems
- In contexts where names are not validated (of low Assurance) the problem arises that trolls many adopt the name of some well-known person to be able to make statements that falsely appear to be from the real person.[1]
- See discussion on the pages for Ephemeral and Persistent.
- Most of the existing protocols, like OpenID Connect and SAML 2.0 support the older NIST SP 800-63-2 level of assurance ratings. These are also baked into RFC 6711 "An IANA Registry for Level of Assurance (LoA) Profiles" and ISO/IEC 291151.
Solutions
- The best source of Truth about an Identity is obtained by documentation of the Identity Proofing process. That is something that can be audited to measure reality against expectations.
- When the Identity Proofing proceeds in steps, then their is a prior level of Assurance that is step-wise augmented as each new level of proofing is performed. This step-wise process of augmenting the level of is referred to as Bayesian Identity Proofing which is further defined on that wiki page.
References
- For a User that wants some Assurance about a Web Site see Trusted Third Party.
