Identity Proofing

From MgmtWiki
Revision as of 21:51, 4 July 2019 by Tom (talk | contribs) (Solutions)

Jump to: navigation, search

Full Title or Meme

Discovery of the level of trust (Assurance) that can be afforded a claim of an Identifier or Attribute.

Context

  • Some means for assuring the Web Site Security is required. See that page for details.
  • The rest of this page is about establishing a level of assurance for User Information about a User also known as a Subject.
  • From NIST SP 800-63-3A[1] When a subject is identity proofed, the expected outcomes are:
  1. Resolve a claimed identity to a single, unique identity within the context of the population of users #the CSP serves.
  2. Validate that all supplied evidence is correct and genuine (e.g., not counterfeit or misappropriated).
  3. Validate that the claimed identity exists in the real world.
  4. Verify that the claimed identity is associated with the real person supplying the identity evidence.

Problems

  • In contexts where names are not validated (of low Assurance) the problem arises that trolls many adopt the name of some well-known person to be able to make statements that falsely appear to be from the real person.[2]
  • See discussion on the pages for Ephemeral and Persistent.
  • Most of the existing protocols, like OpenID Connect and SAML 2.0 support the older NIST SP 800-63-2 level of assurance ratings. These are also baked into RFC 6711 "An IANA Registry for Level of Assurance (LoA) Profiles" and ISO/IEC 291151.

Solutions

  • The best source of Truth about an Identity is obtained by documentation of the Identity Proofing process. That is something that can be audited to measure reality against expectations.
  • When the Identity Proofing proceeds in steps, then their is a prior level of Assurance that is step-wise augmented as each new level of proofing is performed. This step-wise process of augmenting the level of is referred to as Bayesian Identity Proofing which is further defined on that wiki page.

4.4.2 IAL2 Trusted Referee Proofing Requirements In instances where an individual cannot meet the identity evidence requirements specified in Section 4.4.1, the agency MAY use a trusted referee to assist in identity proofing the applicant. See Section 5.3.4 for more details.

References

  1. NIST, Digital Identity Guidelines - Enrollment and Identity Proofing Requirements (2017-06) https://pages.nist.gov/800-63-3/sp800-63a.html
  2. Jack Nicas, Oprah, Is That You? Most Likely, It's Not. 2018-07-08 New York Times page BU1

External References