Identity Proofing

From MgmtWiki
Jump to: navigation, search

Full Title or Meme

Discovery of the level of trust (Assurance) that can be afforded a claim of an Identifier or Attribute.

Context

Problems

  • In contexts where names are not validated (of low Assurance) the problem arises that trolls many adopt the name of some well-known person to be able to make statements that falsely appear to be from the real person.[1]
  • See discussion on the pages for Ephemeral and Persistent.
  • Most of the existing protocols, like OpenID Connect and SAML 2.0 support the older NIST SP 800-63-2 level of assurance ratings. These are also baked into RFC 6711 "An IANA Registry for Level of Assurance (LoA) Profiles" and ISO/IEC 291151.

Solutions

  • The best source of Truth about an Identity is obtained by documentation of the Identity Proofing process. That is something that can be audited to measure reality against expectations.
  • When the Identity Proofing proceeds in steps, then their is a prior level of Assurance that is step-wise augmented as each new level of proofing is performed. This step-wise process of augmenting the level of is referred to as Bayesian Identity Proofing which is further defined on that wiki page.

References

  1. Jack Nicas, Oprah, Is That You? Most Likely, It's Not. 2018-07-08 New York Times page BU1

External References