Difference between revisions of "Identity Proofing"

From MgmtWiki
Jump to: navigation, search
(Context)
Line 6: Line 6:
 
* The rest of this page is about establishing a level of assurance for [[User Information]] about a [[User]] also known as a [[Subject]].
 
* The rest of this page is about establishing a level of assurance for [[User Information]] about a [[User]] also known as a [[Subject]].
 
* [https://pages.nist.gov/800-63-3/sp800-63-3.html New version of SP 800-63-3] with [[Assurance]] separated out from the other [[Authentication]] [[Attribute]]s.
 
* [https://pages.nist.gov/800-63-3/sp800-63-3.html New version of SP 800-63-3] with [[Assurance]] separated out from the other [[Authentication]] [[Attribute]]s.
* [[Provenance]] is a term that is sometimes used for the level of [[Assurance]] that a [[Data Controller]] has in the origin and reliability of [[User]] [[Attribute]]s, especially health care data
 
 
 
  
 
==Problems==
 
==Problems==

Revision as of 11:14, 4 January 2019

Full Title or Meme

Discovery of the level of trust (Assurance) that can be afforded a claim of an Identifier or Attribute.

Context

Problems

  • In contexts where names are not validated (of low Assurance) the problem arises that trolls many adopt the name of some well-known person to be able to make statements that falsely appear to be from the real person.[1]
  • See discussion on the pages for Ephemeral and Persistent.
  • Most of the existing protocols, like OpenID Connect and SAML 2.0 support the older NIST SP 800-63-2 level of assurance ratings. These are also baked into RFC 6711 "An IANA Registry for Level of Assurance (LoA) Profiles" and ISO/IEC 291151.

Solutions

  • The best source of Truth about an Identity is obtained by documentation of the Identity Proofing process. That is something that can be audited to measure reality against expectations.
  • When the Identity Proofing proceeds in steps, then their is a prior level of Assurance that is step-wise augmented as each new level of proofing is performed. This step-wise process of augmenting the level of is referred to as Bayesian Identity Proofing which is further defined on that wiki page.

References

  1. For a User that wants some Assurance about a Web Site see Trusted Third Party.
    1. Jack Nicas, Oprah, Is That You? Most Likely, It's Not. 2018-07-08 New York Times page BU1