Identity Proofing

From MgmtWiki
Jump to: navigation, search

Full Title or Meme

Discovery of the level of trust (Assurance) that can be afforded a claim of an Identifier or Attribute.


  • Some means for assuring the Web Site Security is required. See that page for details.
  • The rest of this page is about establishing a level of assurance for User Information about a User also known as a Subject.
  • From NIST SP 800-63-3A[1] When a subject is identity proofed, the expected outcomes are:
  1. Resolve a claimed identity to a single, unique identity within the context of the population of users #the CSP serves.
  2. Validate that all supplied evidence is correct and genuine (e.g., not counterfeit or misappropriated).
  3. Validate that the claimed identity exists in the real world.
  4. Verify that the claimed identity is associated with the real person supplying the identity evidence.
  • It was pointed out in that same document that Identity Proofing will typically trigger privacy considerations that require user notification and consent.


  • In contexts where names are not validated (of low Assurance) the problem arises that trolls many adopt the name of some well-known person to be able to make statements that falsely appear to be from the real person.[2]
  • See discussion on the pages for Ephemeral and Persistent Identifiers.
  • Most of the existing protocols, like OpenID Connect and SAML 2.0 support the older NIST SP 800-63-2 level of assurance ratings. These are also baked into RFC 6711 "An IANA Registry for Level of Assurance (LoA) Profiles" and ISO/IEC 291151.


  • The best source of Truth about an Identity is obtained by documentation of the Identity Proofing process. That is something that can be audited to measure reality against expectations.
  • When the Identity Proofing proceeds in steps, then their is a prior level of Assurance that is step-wise augmented as each new level of proofing is performed. This step-wise process of augmenting the level of is referred to as Bayesian Identity Proofing which is further defined on that wiki page.
  • While the primary use case for NIST 800-63-3 involves the Credential Service Provider, it is also stated: "The identity proofing process can be delivered by multiple service providers. It is

possible, but not expected, that a single organization, process, technique, or technology will fulfill these process steps."

  • While it is typical in the U.S. Government for a single agency to perform Identity Proofing as a part of the Credential Service Provider prior to enrollment, this is undesirable or impossible in many private organizations. For example it is more important to provider emergency health care that to provide high-assurance proofing in some situations.

4.4.2 IAL2 Trusted Referee Proofing Requirements In instances where an individual cannot meet the identity evidence requirements specified in Section 4.4.1, the agency MAY use a trusted referee to assist in identity proofing the applicant. See Section 5.3.4 for more details.


  1. NIST, Digital Identity Guidelines - Enrollment and Identity Proofing Requirements (2017-06)
  2. Jack Nicas, Oprah, Is That You? Most Likely, It's Not. 2018-07-08 New York Times page BU1

External References