Assurance

["Jones, Mark B" <>]

I feel that the issue is that the technical authentication mechanism is getting all of the attention while the procedure associated with the issuance of the credential is getting marginalized.  There seems to be a lot of push back to the registration and credential issuance controls that are outlined in NIST 800-63. 

 

The risk assessment done for the Federation Manager seems to suggest that LoA 3 is called for yet there seems to be reluctance to state that.  Based on Tom Barton’s comments I think there may be a way to argue that member organizations are delegated the responsibility for identity proofing.  But instead of trying build an argument for how current practice might satisfy NIST LoA 3 there is an effort to define a profile that does not align with any of the NIST assurance levels.

 

I find it confusing to go through the risk analysis which would appear to have an end goal of identifying an OMB assurance level that is appropriate, and then try to define an assurance profile that does not resemble any of the defined levels.  If the goal is to justify the chosen assurance level by means of the risk assessment doesn’t the level chosen have to map to one of the defined levels?

 

From: [mailto:] On Behalf Of Dennis Skovsted
Sent: Friday, November 30, 2012 11:06 AM
To:
Subject: Re: [Assurance] silver, 2-factor, password requirements

 

I have been listening to the discussion and I am wondering if the challenge being encountered, related to fact  that leadership has not yet provided clear enough definition on the goals for silver related to identity proofing and identity authenication in the context of a 4 level federation model (i.e, Bronze to Platinum).

 

It sounds to me like the question for leadership may be, if one is using a two factor solution and one has very good controls for  the token factor and marginal controls of the password factor, is that acceptable for Silver?   Or another way of stating the question, does one only need good contol of both factors when one gets to Gold or Platinum?

 

Dennis Skovsted 

 

 

 

 

 

On Wed, Nov 28, 2012 at 10:16 PM, Jones, Mark B <> wrote:

I don't think that the LoA of an authentication credential implies anything beyond the credential provider's confidence that the owner of the credential is the entity that is controlling and presenting the credential.  The reliability of attributes is utterly separate.  Just because a credential provider knows who they have credentialed does not mean that they are obligated to release the identity data collected when registering the user.

Regarding credential binding, yes, that is what concerns me.  If section 4.2.2 is not to do with binding the physical person to the credential then which section covers that?

I'm not sure what you mean by "legal identity".  To me the question of what LoA is required is answered by evaluating the risk to your application as described in OMB M-04-04.  For example what are the consequences of someone impersonating a valid user or a valid user claiming that their credential was not under their control to avoid accountability.  If you don't care about the ability to hold the user accountable isn't Bronze sufficient?  If you do care, relaxing identity proofing seems counterproductive.


-----Original Message-----
From: [mailto:] On Behalf Of Tom Scavo
Sent: Wednesday, November 28, 2012 2:48 PM
To:
Subject: Re: [Assurance] silver, 2-factor, password requirements



> I don't think the LoA of an authentication credential has anything to
> do with what attributes are released to the RP.

I didn't say that. I implied that the strength of an attribute, such as "person name," is directly related to the LoA of a transaction, which is certainly true. This is why some have claimed that separate attribute profiles are redundant in the face of identity assurance.

> Even if the
> authentication was three factor, without strong identity proofing when
> the credential is issued how is the presenter of such a credential to
> be held accountable for actions performed with that credential?

I wonder if you're thinking of credential binding here? I agree that strong credential binding is important but that's not what I mean by identity proofing. I'm referring to section 4.2.2 in the Bronze/Silver profile. My app doesn't care about the legal identity of the user. I claim that most SaaS apps don't care about this either.

> It seems to me that the amount of identity proofing done has a greater
> impact on the LoA of a credential than the authentication mechanism.

When the legal identity is in question, yes, but there are many situations where that is not required.

> I guess I'm questioning why a profile "at the top of the pyramid"
> would have less identity proofing.

Well, I don't quite know what to tell you. When the profile is done, I will make it public so that you can poke holes in it. In any case, I'm quite sure I don't need section 4.2.2 at all.

Tom