Difference between revisions of "Assurance"

From MgmtWiki
Jump to: navigation, search
(Context)
(Context)
Line 7: Line 7:
 
* Some means for assuring the [[Web Site Security]] is required. See that page for details.
 
* Some means for assuring the [[Web Site Security]] is required. See that page for details.
 
* The rest of this page is about establishing a level of assurance for [[User Information]] about a [[User]] also known as a [[Subject]].
 
* The rest of this page is about establishing a level of assurance for [[User Information]] about a [[User]] also known as a [[Subject]].
* Previous version of SP 800-63-2 described level of [[Assurance]] or LOA that are still part of ISO standards.
+
* Previous version of SP 800-63-2 described level of [[Assurance]] or LOA that are still part of ISO standards. NIST has published a [https://pages.nist.gov/800-63-FAQ/ FAQ] to describe the reasons for the upgrade.
 
* [https://pages.nist.gov/800-63-3/sp800-63-3.html New version of SP 800-63-3] with [[Assurance]] separated out from the other [[Authentication]] [[Attribute]]s.
 
* [https://pages.nist.gov/800-63-3/sp800-63-3.html New version of SP 800-63-3] with [[Assurance]] separated out from the other [[Authentication]] [[Attribute]]s.
 
* [[Provenance]] is a term that is sometimes used for the level of [[Assurance]] that a [[Data Controller]] has in the origin and reliability of [[User]] [[Attribute]]s, especially health care data
 
* [[Provenance]] is a term that is sometimes used for the level of [[Assurance]] that a [[Data Controller]] has in the origin and reliability of [[User]] [[Attribute]]s, especially health care data

Revision as of 16:50, 25 February 2019

Full Title or Meme

The level of trust that can be afforded a claim of an Identifier or Attribute.

Context

For a User that wants some Assurance about a Web Site see Trusted Third Party.

Problems

  • In contexts where names are not validated (of low Assurance) the problem arises that trolls many adopt the name of some well-known person to be able to make statements that falsely appear to be from the real person.[1]
  • See discussion on the pages for Ephemeral and Persistent.
  • Most of the existing protocols, like OpenID Connect and SAML 2.0 support the older NIST SP 800-63-2 level of assurance ratings. These are also baked into RFC 6711 "An IANA Registry for Level of Assurance (LoA) Profiles" and ISO/IEC 291151.

Solutions

A rather facile mapping of the NIST 800-63-3 levels of Assurance to the processes known today is:

  • AAL1 ==> password
  • AAL2 ==> 2FA
  • AAL3 ==> U2F

The best source of Truth about an Identity is obtained by documentation of the Identity Proofing process. That is something that can be audited to measure reality against expectations.

References

  1. Jack Nicas, Oprah, Is That You? Most Likely, It's Not. 2018-07-08 New York Times page BU1

External References

  1. Synonyms include: Validated which typically is used with Assurance of claims, or Attested which typically is used with Assurance of User Devices.