Difference between revisions of "Identity Proofing"
From MgmtWiki
(→Context) |
(→Solutions) |
||
(6 intermediate revisions by the same user not shown) | |||
Line 5: | Line 5: | ||
* Some means for assuring the [[Web Site Security]] is required. See that page for details. | * Some means for assuring the [[Web Site Security]] is required. See that page for details. | ||
* The rest of this page is about establishing a level of assurance for [[User Information]] about a [[User]] also known as a [[Subject]]. | * The rest of this page is about establishing a level of assurance for [[User Information]] about a [[User]] also known as a [[Subject]]. | ||
− | * | + | * From NIST SP 800-63-3A<ref name="3A">NIST, ''Digital Identity Guidelines - Enrollment and Identity Proofing Requirements'' (2017-06) https://pages.nist.gov/800-63-3/sp800-63a.html</ref> When a subject is identity proofed, the expected outcomes are: |
+ | #Resolve a claimed identity to a single, unique identity within the context of the population of users #the CSP serves. | ||
+ | #Validate that all supplied evidence is correct and genuine (e.g., not counterfeit or misappropriated). | ||
+ | #Validate that the claimed identity exists in the real world. | ||
+ | #Verify that the claimed identity is associated with the real person supplying the identity evidence. | ||
+ | * It was pointed out in that same document that [[Identity Proofing]] will typically trigger privacy considerations that require user notification and consent. | ||
==Problems== | ==Problems== | ||
* In contexts where names are not validated (of low [[Assurance]]) the problem arises that trolls many adopt the name of some well-known person to be able to make statements that falsely appear to be from the real person.<ref>Jack Nicas, ''Oprah, Is That You? Most Likely, It's Not''. 2018-07-08 New York Times page BU1</ref> | * In contexts where names are not validated (of low [[Assurance]]) the problem arises that trolls many adopt the name of some well-known person to be able to make statements that falsely appear to be from the real person.<ref>Jack Nicas, ''Oprah, Is That You? Most Likely, It's Not''. 2018-07-08 New York Times page BU1</ref> | ||
− | * See discussion on the pages for [[Ephemeral]] and [[Persistent]]. | + | * See discussion on the pages for [[Ephemeral]] and [[Persistent]] [[Identifier]]s. |
* Most of the existing protocols, like [[OpenID Connect]] and [[SAML 2.0]] support the older NIST SP 800-63-2 level of assurance ratings. These are also baked into RFC 6711 "An IANA Registry for Level of Assurance (LoA) Profiles" and ISO/IEC 291151. | * Most of the existing protocols, like [[OpenID Connect]] and [[SAML 2.0]] support the older NIST SP 800-63-2 level of assurance ratings. These are also baked into RFC 6711 "An IANA Registry for Level of Assurance (LoA) Profiles" and ISO/IEC 291151. | ||
Line 15: | Line 20: | ||
* The best source of [[Truth]] about an [[Identity]] is obtained by documentation of the [[Identity Proofing]] process. That is something that can be audited to measure reality against expectations. | * The best source of [[Truth]] about an [[Identity]] is obtained by documentation of the [[Identity Proofing]] process. That is something that can be audited to measure reality against expectations. | ||
* When the [[Identity Proofing]] proceeds in steps, then their is a prior level of [[Assurance]] that is step-wise augmented as each new level of proofing is performed. This step-wise process of augmenting the level of is referred to as [[Bayesian Identity Proofing]] which is further defined on that wiki page. | * When the [[Identity Proofing]] proceeds in steps, then their is a prior level of [[Assurance]] that is step-wise augmented as each new level of proofing is performed. This step-wise process of augmenting the level of is referred to as [[Bayesian Identity Proofing]] which is further defined on that wiki page. | ||
+ | * While the primary use case for NIST 800-63-3 involves the [[Credential Service Provider]], it is also stated: "The identity proofing process can be delivered by multiple service providers. It is | ||
+ | possible, but not expected, that a single organization, process, technique, or technology | ||
+ | will fulfill these process steps." | ||
+ | * While it is typical in the U.S. Government for a single agency to perform [[Identity Proofing]] as a part of the [[Credential Service Provider]] prior to enrollment, this is undesirable or impossible in many private organizations. For example it is more important to provider emergency health care that to provide high-assurance proofing in some situations. | ||
+ | |||
+ | 4.4.2 IAL2 Trusted Referee Proofing Requirements | ||
+ | In instances where an individual cannot meet the identity evidence requirements specified in Section 4.4.1, the agency MAY use a trusted referee to assist in identity proofing the applicant. See Section 5.3.4 for more details. | ||
==References== | ==References== | ||
− | + | <references /> | |
− | + | ===External References=== | |
+ | * [https://pages.nist.gov/800-63-3/sp800-63-3.html New version of SP 800-63-3] with [[Assurance]] separated out from the other [[Authentication]] [[Attribute]]s. | ||
+ | * For a [[User]] that wants some [[Assurance]] about a [[Web Site]] see [[Trusted Third Party]]. | ||
[[Category:Glossary]] | [[Category:Glossary]] | ||
[[Category:Identity]] | [[Category:Identity]] | ||
[[Category:Authentication]] | [[Category:Authentication]] | ||
+ | [[Category:Assurance]] |
Latest revision as of 10:12, 5 July 2019
Full Title or Meme
Discovery of the level of trust (Assurance) that can be afforded a claim of an Identifier or Attribute.
Context
- Some means for assuring the Web Site Security is required. See that page for details.
- The rest of this page is about establishing a level of assurance for User Information about a User also known as a Subject.
- From NIST SP 800-63-3A[1] When a subject is identity proofed, the expected outcomes are:
- Resolve a claimed identity to a single, unique identity within the context of the population of users #the CSP serves.
- Validate that all supplied evidence is correct and genuine (e.g., not counterfeit or misappropriated).
- Validate that the claimed identity exists in the real world.
- Verify that the claimed identity is associated with the real person supplying the identity evidence.
- It was pointed out in that same document that Identity Proofing will typically trigger privacy considerations that require user notification and consent.
Problems
- In contexts where names are not validated (of low Assurance) the problem arises that trolls many adopt the name of some well-known person to be able to make statements that falsely appear to be from the real person.[2]
- See discussion on the pages for Ephemeral and Persistent Identifiers.
- Most of the existing protocols, like OpenID Connect and SAML 2.0 support the older NIST SP 800-63-2 level of assurance ratings. These are also baked into RFC 6711 "An IANA Registry for Level of Assurance (LoA) Profiles" and ISO/IEC 291151.
Solutions
- The best source of Truth about an Identity is obtained by documentation of the Identity Proofing process. That is something that can be audited to measure reality against expectations.
- When the Identity Proofing proceeds in steps, then their is a prior level of Assurance that is step-wise augmented as each new level of proofing is performed. This step-wise process of augmenting the level of is referred to as Bayesian Identity Proofing which is further defined on that wiki page.
- While the primary use case for NIST 800-63-3 involves the Credential Service Provider, it is also stated: "The identity proofing process can be delivered by multiple service providers. It is
possible, but not expected, that a single organization, process, technique, or technology will fulfill these process steps."
- While it is typical in the U.S. Government for a single agency to perform Identity Proofing as a part of the Credential Service Provider prior to enrollment, this is undesirable or impossible in many private organizations. For example it is more important to provider emergency health care that to provide high-assurance proofing in some situations.
4.4.2 IAL2 Trusted Referee Proofing Requirements In instances where an individual cannot meet the identity evidence requirements specified in Section 4.4.1, the agency MAY use a trusted referee to assist in identity proofing the applicant. See Section 5.3.4 for more details.
References
- ↑ NIST, Digital Identity Guidelines - Enrollment and Identity Proofing Requirements (2017-06) https://pages.nist.gov/800-63-3/sp800-63a.html
- ↑ Jack Nicas, Oprah, Is That You? Most Likely, It's Not. 2018-07-08 New York Times page BU1
External References
- New version of SP 800-63-3 with Assurance separated out from the other Authentication Attributes.
- For a User that wants some Assurance about a Web Site see Trusted Third Party.