commonwealth of virginia · 65 commonwealth of virginia’s itrm glossary (itrm glossary). 1 66 67...

PublicationVersion1.0IMSACGuidanceDocument:FederationandParticipantRequirements DraftDate:October12,2016

COMMONWEALTH OF VIRGINIA

IDENTITY MANAGEMENT STANDARDS ADVISORY COUNCIL (IMSAC)

GUIDANCE DOCUMENT Federation and Participant Requirements

PublicationVersion1.0IMSACGuidanceDocument:FederationandParticipantRequirements DraftDate:October12,2016 DraftDate:October12,2016

i

TableofContents

1 PublicationVersionControl.....................................................................................12 Reviews....................................................................................................................13 PurposeandScope...................................................................................................14 StatutoryAuthority..................................................................................................25 Definitions................................................................................................................36 Background…..........................................................................................................157 MinimumSpecifications.........................................................................................16


1

1 PublicationVersionControl12Thefollowingtablecontainsahistoryofrevisionstothispublication.34PublicationVersion

Date

RevisionDescription

1.0 10/12/2016 InitialDraftofDocument

5

2 Reviews67• TheinitialversionofthedocumentwaspreparedbystafffromtheVirginiaInformation8

TechnologiesAgency(VITA)fortheSecretaryofTechnology,underthedirectionfromthe9IdentityManagementStandardsAdvisoryCouncil(IMSAC).10

11• ThedocumentwillbereviewedinamannercompliantwiththeCommonwealthofVirginia’s12

AdministrativeProcessAct,§2.2-4000etseq.1314

3 PurposeandScope1516Pursuantto§2.2-436and§2.2-437,CodeofVirginia,thisguidancedocumentwasdeveloped17bytheIdentityManagementStandardsAdvisoryCouncil(IMSAC),onbehalfoftheSecretaryof18Technology,toestablishminimumspecificationsforDigitalIdentitySystemssoastowarrant19liabilityprotectionpursuanttotheElectronicIdentityManagementAct("theAct"),Chapter5020ofTitle59.1.Theguidancedocument,asdefinedin§2.2-4001,waspreparedtoprovide21informationorguidanceofgeneralapplicabilitytothepublicforinterpretingorimplementing22theAct.TheguidancedocumentwasnotdevelopedasaCommonwealthofVirginia23InformationTechnologyResourceManagement(ITRM)Policy,Standard,andGuideline,24pursuantto§2.2-2007,andthereforetheguidancedocumentisnotapplicabletoexecutive25branchagenciesoftheCommonwealthofVirginia.2627 28


2

4 StatutoryAuthority2930ThefollowingsectiondocumentsthestatutoryauthorityestablishedintheCodeofVirginiafor31thedevelopmentofminimumspecificationsandstandardsforFederationandParticipant32RequirementsinaDigitalIdentitySystem.Referencestostatutesbelowandthroughoutthis33documentshallbetotheCodeofVirginia,unlessotherwisespecified.3435GoverningStatutes:3637SecretaryofTechnology38§2.2-225.Positionestablished;agenciesforwhichresponsible;additionalpowers39http://law.lis.virginia.gov/vacode/title2.2/chapter2/section2.2-225/4041IdentityManagementStandardsAdvisoryCouncil42§2.2-437.IdentityManagementStandardsAdvisoryCouncil43http://law.lis.virginia.gov/vacode/title2.2/chapter4.3/section2.2-437/4445CommonwealthIdentityManagementStandards46§2.2-436.Approvalofelectronicidentitystandards47http://law.lis.virginia.gov/vacode/title2.2/chapter4.3/section2.2-436/4849ElectronicIdentityManagementAct50Chapter50.ElectronicIdentityManagementAct51http://law.lis.virginia.gov/vacode/title59.1/chapter50/52535455565758 59


3

5 Definitions6061TermsusedinthisdocumentcomplywithdefinitionsinthePublicReviewversionofthe62NationalInstituteofStandardsandTechnologySpecialPublication800-63-3(NISTSP800-63-3),63andalignwithadopteddefinitionsin§59.1-550,CodeofVirginia(COV),andthe64CommonwealthofVirginia’sITRMGlossary(ITRMGlossary).16566ActiveAttack:Anonlineattackwheretheattackertransmitsdatatotheclaimant,credential67serviceprovider,verifier,orrelyingParticipant.Examplesofactiveattacksincludeman-in-the-68middle,impersonation,andsessionhijacking.6970AddressofRecord:Theofficiallocationwhereanindividualcanbefound.Theaddressofrecord71alwaysincludestheresidentialstreetaddressofanindividualandmayalsoincludethemailing72addressoftheindividual.Inverylimitedcircumstances,anArmyPostOfficeboxnumber,Fleet73PostOfficeboxnumberorthestreetaddressofnextofkinorofanothercontactindividualcan74beusedwhenaresidentialstreetaddressfortheindividualisnotavailable.7576Approved:FederalInformationProcessingStandard(FIPS)approvedorNISTrecommended.An77algorithmortechniquethatiseither1)specifiedinaFIPSorNISTRecommendation,or2)78adoptedinaFIPSorNISTRecommendation.7980ApplicableLaw:Laws,statutes,regulations,andrulesofthejurisdictioninwhichthemembers81ofanIdentityTrustFrameworkoperates.8283Applicant:AParticipantundergoingtheprocessesofRegistrationandIdentityProofing.8485Assertion:AstatementfromaverifiertoarelyingParticipant(RP)thatcontainsidentity86informationaboutaSubscriber.Assertionsmayalsocontainverifiedattributes.8788AssertionReference:Adataobject,createdinconjunctionwithanAssertion,whichidentifies89theverifierandincludesapointertothefullAssertionheldbytheverifier.9091Assurance:Inthecontextof[OMBM-04-04]2andthisdocument,assuranceisdefinedas1)the92degreeofconfidenceinthevettingprocessusedtoestablishtheidentityofanindividualto93whomthecredentialwasissued,and2)thedegreeofconfidencethattheindividualwhouses94thecredentialistheindividualtowhomthecredentialwasissued.95

1NISTSP800-63-3maybeaccessedathttps://pages.nist.gov/800-63-3/sp800-63-3.html#sec3.Atthetimeofthepublicationofthisdocument,NISTSP800-63-3wasstillunderdevelopment.However,thisdocumentmaybeupdated,asrecommendedbyIMSAC,followingthefinaladoptionandpublicationofNISTSP800-63-3.§59.1-550,CodeofVirginia,maybeaccessedathttp://law.lis.virginia.gov/vacode/title59.1/chapter50/section59.1-550/TheCommonwealth’sITRMGlossarymaybeaccessedathttp://www.vita.virginia.gov/uploadedFiles/VITA_Main_Public/Library/PSGs/PSG_Sections/COV_ITRM_Glossary.pdf

2[OMBM-04-04]OfficeofManagementandBudget,Memorandum04-04:E-AuthenticationGuidanceforFederalAgencies,accessibleathttps://www.whitehouse.gov/sites/default/files/omb/memoranda/fy04/m04-04.pdf.


4

AssuranceModel:Policies,processes,andprotocolsthatdefinehowAssurancewillbe96establishedinanIdentityTrustFramework.9798AsymmetricKeys:Tworelatedkeys,apublickeyandaprivatekeythatareusedtoperform99complementaryoperations,suchasencryptionanddecryptionorsignaturegenerationand100signatureverification.101102Attack:AnattemptbyanunauthorizedindividualtofoolaverifierorarelyingParticipantinto103believingthattheunauthorizedindividualinquestionistheSubscriber.104105Attacker:AParticipantwhoactswithmaliciousintenttocompromiseanInformationSystem.106107Attribute:Aclaimofanamedqualityorcharacteristicinherentinorascribedtosomeoneor108something.109110Authentication:TheprocessofestablishingconfidenceintheidentityofusersorInformation111Systems.112113AuthenticationProtocol:Adefinedsequenceofmessagesbetweenaclaimantandaverifier114thatdemonstratesthattheclaimanthaspossessionandcontrolofavalidauthenticatorto115establishhis/heridentity,andoptionally,demonstratestotheclaimantthatheorsheis116communicatingwiththeintendedverifier.117118AuthenticationProtocolRun:Anexchangeofmessagesbetweenaclaimantandaverifierthat119resultsinauthentication(orauthenticationfailure)betweenthetwoParticipants.120121AuthenticationSecret:Agenerictermforanysecretvaluethatcouldbeusedbyanattackerto122impersonatetheSubscriberinanauthenticationprotocol.Thesearefurtherdividedintoshort-123termauthenticationsecrets,whichareonlyusefultoanattackerforalimitedperiodoftime,124andlong-termauthenticationsecrets,whichallowanattackertoimpersonatetheSubscriber125untiltheyaremanuallyreset.Theauthenticatorsecretisthecanonicalexampleofalongterm126authenticationsecret,whiletheauthenticatoroutput,ifitisdifferentfromtheauthenticator127secret,isusuallyashorttermauthenticationsecret.128129Authenticator:Somethingthattheclaimantpossessesandcontrols(typicallyacryptographic130moduleorpassword)thatisusedtoauthenticatetheclaimant’sidentity.Inpreviousversionsof131thisguideline,thiswasreferredtoasatoken.132133AuthenticatorAssuranceLevel(AAL):Ametricdescribingrobustnessoftheauthentication134processprovingthattheclaimantisincontrolofagivenSubscriber’sauthenticator(s).135136AuthenticatorOutput:Theoutputvaluegeneratedbyanauthenticator.Theabilitytogenerate137validauthenticatoroutputsondemandprovesthattheclaimantpossessesandcontrolsthe138


5

authenticator.Protocolmessagessenttotheverifieraredependentupontheauthenticator139output,buttheymayormaynotexplicitlycontainit.140141AuthenticatorSecret:Thesecretvaluecontainedwithinanauthenticator.142Authenticity:Thepropertythatdataoriginatedfromitspurportedsource.143144BearerAssertion:AnAssertionthatdoesnotprovideamechanismfortheSubscribertoprove145thatheorsheistherightfulowneroftheAssertion.TheRPhastoassumethattheAssertion146wasissuedtotheSubscriberwhopresentstheAssertionorthecorrespondingAssertion147referencetotheRP.148149Bit:Abinarydigit:0or1.150151Biometrics:Automatedrecognitionofindividualsbasedontheirbehavioralandbiological152characteristics.Inthisdocument,biometricsmaybeusedtounlockauthenticatorsandprevent153repudiationofRegistration.154155CertificateAuthority(CA):Atrustedentitythatissuesandrevokespublickeycertificates.156157CertificateRevocationList(CRL):Alistofrevokedpublickeycertificatescreatedanddigitally158signedbyaCertificateAuthority.[RFC5280]3159160Challenge-ResponseProtocol:Anauthenticationprotocolwheretheverifiersendstheclaimant161achallenge(usuallyarandomvalueoranonce)thattheclaimantcombineswithasecret(such162asbyhashingthechallengeandasharedsecrettogether,orbyapplyingaprivatekeyoperation163tothechallenge)togeneratearesponsethatissenttotheverifier.Theverifiercan164independentlyverifytheresponsegeneratedbytheclaimant(suchasbyre-computingthehash165ofthechallengeandthesharedsecretandcomparingtotheresponse,orperformingapublic166keyoperationontheresponse)andestablishthattheclaimantpossessesandcontrolsthe167secret.168169Claimant:AParticipantwhoseidentityistobeverifiedusinganauthenticationprotocol.170ClaimedAddress:Thephysicallocationassertedbyanindividual(e.g.anapplicant)where171he/shecanbereached.Itincludestheresidentialstreetaddressofanindividualandmayalso172includethemailingaddressoftheindividual.Forexample,apersonwithaforeignpassport,173livingintheU.S.,willneedtogiveanaddresswhengoingthroughtheIdentityProofingprocess.174Thisaddresswouldnotbean“addressofrecord”buta“claimedaddress.”175176ClaimedIdentity:AdeclarationbytheapplicantoftheircurrentPersonalName,dateofbirth177andaddress.[GPG45]4178

3[RFC5280]OfficialInternetProtocolStandards,InternetX.509PublicKeyInfrastructureCertificateandCertificateRevocationList(CRL)Profile,May2008,accessibleathttp://www.rfc-editor.org/info/rfc5280.


6

CompletelyAutomatedPublicTuringtesttotellComputersandHumansApart(CAPTCHA):An179interactivefeatureaddedtoweb-formstodistinguishuseoftheformbyhumansasopposedto180automatedagents.Typically,itrequiresenteringtextcorrespondingtoadistortedimageor181fromasoundstream.182183Cookie:Acharacterstring,placedinawebbrowser’smemory,whichisavailabletowebsites184withinthesameInternetdomainastheserverthatplacedtheminthewebbrowser.185186Credential:Anobjectordatastructurethatauthoritativelybindsanidentity(andoptionally,187additionalattributes)toanauthenticatorpossessedandcontrolledbyaSubscriber.While188commonusageoftenassumesthatthecredentialismaintainedbytheSubscriber,this189documentalsousesthetermtorefertoelectronicrecordsmaintainedbytheCSPwhich190establishabindingbetweentheSubscriber’sauthenticator(s)andidentity.191192CredentialServiceProvider(CSP):AtrustedentitythatissuesorregistersSubscriber193authenticatorsandissueselectroniccredentialstoSubscribers.TheCSPmayencompass194RegistrationAuthorities(RAs)andverifiersthatitoperates.ACSPmaybeanindependentthird195Participant,ormayissuecredentialsforitsownuse.196197CrossSiteRequestForgery(CSRF):AnattackinwhichaSubscriberwhoiscurrently198authenticatedtoanRPandconnectedthroughasecuresession,browsestoanattacker’s199websitewhichcausestheSubscribertounknowinglyinvokeunwantedactionsattheRP.For200example,ifabankwebsiteisvulnerabletoaCSRFattack,itmaybepossibleforaSubscriberto201unintentionallyauthorizealargemoneytransfer,merelybyviewingamaliciouslinkina202webmailmessagewhileaconnectiontothebankisopeninanotherbrowserwindow.203204CrossSiteScripting(XSS):Avulnerabilitythatallowsattackerstoinjectmaliciouscodeintoan205otherwisebenignwebsite.Thesescriptsacquirethepermissionsofscriptsgeneratedbythe206targetwebsiteandcanthereforecompromisetheconfidentialityandintegrityofdatatransfers207betweenthewebsiteandclient.Websitesarevulnerableiftheydisplayusersupplieddatafrom208requestsorformswithoutsanitizingthedatasothatitisnotexecutable.209210CryptographicKey:Avalueusedtocontrolcryptographicoperations,suchasdecryption,211encryption,signaturegenerationorsignatureverification.Forthepurposesofthisdocument,212keyrequirementsmustmeettheminimumrequirementsstatedinTable2ofNISTSP800-57213Part1.SeealsoAsymmetrickeys,Symmetrickey.214215CryptographicAuthenticator:Anauthenticatorwherethesecretisacryptographickey.216217

4[GPG45]UKCabinetOffice,GoodPracticeGuide45,Identityproofingandverificationofanindividual,November3,2014,accessibleathttps://www.gov.uk/government/publications/identity-proofing-and-verification-of-an-individual.


7

DataIntegrity:Thepropertythatdatahasnotbeenalteredbyanunauthorizedentity.218219DerivedCredential:Acredentialissuedbasedonproofofpossessionandcontrolofan220authenticatorassociatedwithapreviouslyissuedcredential,soasnottoduplicatetheIdentity221Proofingprocess.222223DigitalIdentitySystem:AnInformationSystemthatsupportsElectronicAuthenticationandthe224managementofaperson’sIdentityinadigitalenvironment.[Referencedin§59.1-550,COV]225226DigitalSignature:Anasymmetrickeyoperationwheretheprivatekeyisusedtodigitallysign227dataandthepublickeyisusedtoverifythesignature.Digitalsignaturesprovideauthenticity228protection,integrityprotection,andnon-repudiation.229230EavesdroppingAttack:Anattackinwhichanattackerlistenspassivelytotheauthentication231protocoltocaptureinformationwhichcanbeusedinasubsequentactiveattackto232masqueradeastheclaimant.233234ElectronicAuthentication:Theprocessofestablishingconfidenceinuseridentities235electronicallypresentedtoanInformationSystem.236237Entropy:Ameasureoftheamountofuncertaintythatanattackerfacestodeterminethevalue238ofasecret.Entropyisusuallystatedinbits.239240ExtensibleMark-upLanguage(XML):ExtensibleMarkupLanguage,abbreviatedXML,describes241aclassofdataobjectscalledXMLdocumentsandpartiallydescribesthebehaviorofcomputer242programswhichprocessthem.243244FederalBridgeCertificationAuthority(FBCA):TheFBCAistheentityoperatedbytheFederal245PublicKeyInfrastructure(FPKI)ManagementAuthoritythatisauthorizedbytheFederalPKI246PolicyAuthoritytocreate,sign,andissuepublickeycertificatestoPrincipalCAs.247248FederalInformationSecurityManagementAct(FISMA):TitleIIIoftheE-GovernmentAct249requiringeachfederalagencytodevelop,document,andimplementanagency-wideprogram250toprovideinformationsecurityfortheinformationandInformationSystemsthatsupportthe251operationsandassetsoftheagency,includingthoseprovidedormanagedbyanotheragency,252contractor,orothersource.253254FederalInformationProcessingStandard(FIPS):UndertheInformationTechnology255ManagementReformAct(PublicLaw104-106),theSecretaryofCommerceapprovesstandards256andguidelinesthataredevelopedbytheNationalInstituteofStandardsandTechnology(NIST)257forFederalcomputersystems.ThesestandardsandguidelinesareissuedbyNISTasFederal258InformationProcessingStandards(FIPS)forusegovernment-wide.NISTdevelopsFIPSwhen259


8

therearecompellingFederalgovernmentrequirementssuchasforsecurityandinteroperability260andtherearenoacceptableindustrystandardsorsolutions.5261262Federation:Aprocessthatallowsfortheconveyanceofidentityandauthenticationinformation263acrossasetofnetworkedsystems.Thesesystemsareoftenrunandcontrolledbydisparate264Participantsindifferentnetworkandsecuritydomains.[NISTSP800-63C]265266GovernanceAuthority:Entityresponsibleforprovidingpolicylevelleadership,oversight,267strategicdirection,andrelatedgovernanceactivitieswithinanIdentityTrustFramework.268269HashFunction:Afunctionthatmapsabitstringofarbitrarylengthtoafixedlengthbitstring.270Approvedhashfunctionssatisfythefollowingproperties:271

• (One-way)Itiscomputationallyinfeasibletofindanyinputthatmapstoanypre-272specifiedoutput,and273

• (Collisionresistant)Itiscomputationallyinfeasibletofindanytwodistinctinputsthat274maptothesameoutput.275

276Holder-of-KeyAssertion:AnAssertionthatcontainsareferencetoasymmetrickeyorapublic277key(correspondingtoaprivatekey)heldbytheSubscriber.TheRPmayauthenticatethe278Subscriberbyverifyingthatheorshecanindeedprovepossessionandcontrolofthe279referencedkey.280281Identity:Asetofattributesthatuniquelydescribeapersonwithinagivencontext.282283IdentityAssuranceLevel(IAL):Ametricdescribingdegreeofconfidencethattheapplicant’s284claimedidentityistheirrealidentity.285286IdentityProofing:TheprocessbywhichaCSPandaRegistrationAuthority(RA)collectand287verifyinformationaboutapersonforthepurposeofissuingcredentialstothatperson.288289IdentityProvider(IdP):Thepartythatmanagesthesubscriber’sprimaryauthentication290credentialsandissuesAssertionsderivedfromthosecredentialsgenerallytothecredential291serviceprovider(CSP).292293IdentityTrustFramework:ADigitalIdentitySystemwithestablishedidentity,security,privacy,294technology,andenforcementrulesandpoliciesadheredtobycertifiedidentityprovidersthat295aremembersoftheIdentityTrustFramework.MembersofanIdentityTrustFramework296includeIdentityTrustFrameworkoperatorsandidentityproviders.RelyingParticipantsmaybe,297butarenotrequiredtobe,amemberofanIdentityTrustFrameworkinordertoacceptan298identitycredentialissuedbyacertifiedidentityprovidertoverifyanidentitycredentialholder's299identity.[§59.1-550,COV]3003015FederalInformationProcessingStandard(FIPS),accessibleathttp://www.nist.gov/itl/fips.cfm.


9

InformationSystem:Adiscretesetofinformationresourcesorganizedforthecollection,302processing,maintenance,use,sharing,dissemination,ordispositionofinformation.[NIST303Interagency/InternalReport(IR)7298r.2]304305Kerberos:AwidelyusedauthenticationprotocoldevelopedatMIT.In“classic”Kerberos,users306shareasecretpasswordwithaKeyDistributionCenter(KDC).Theuser,Alice,whowishesto307communicatewithanotheruser,Bob,authenticatestotheKDCandisfurnisheda“ticket”by308theKDCtousetoauthenticatewithBob.WhenKerberosauthenticationisbasedonpasswords,309theprotocolisknowntobevulnerabletooff-linedictionaryattacksbyeavesdropperswho310capturetheinitialuser-to-KDCexchange.Longerpasswordlengthandcomplexityprovide311somemitigationtothisvulnerability,althoughsufficientlylongpasswordstendtobe312cumbersomeforusers.313314KnowledgeBasedAuthentication:Authenticationofanindividualbasedonknowledgeof315informationassociatedwithhisorherclaimedidentityinpublicdatabases.Knowledgeofsuch316informationisconsideredtobeprivateratherthansecret,becauseitmaybeusedincontexts317otherthanauthenticationtoaverifier,therebyreducingtheoverallassuranceassociatedwith318theauthenticationprocess.319320Man-in-the-MiddleAttack(MitM):Anattackontheauthenticationprotocolruninwhichthe321attackerpositionshimselforherselfinbetweentheclaimantandverifiersothathecan322interceptandalterdatatravelingbetweenthem.323324MessageAuthenticationCode(MAC):Acryptographicchecksumondatathatusesasymmetric325keytodetectbothaccidentalandintentionalmodificationsofthedata.MACsprovide326authenticityandintegrityprotection,butnotnon-repudiationprotection.327328Multi-Factor:Acharacteristicofanauthenticationsystemoranauthenticatorthatusesmore329thanoneauthenticationfactor.Thethreetypesofauthenticationfactorsaresomethingyou330know,somethingyouhave,andsomethingyouare.331332Network:Anopencommunicationsmedium,typicallytheInternet,thatisusedtotransport333messagesbetweentheclaimantandotherParticipants.Unlessotherwisestated,no334assumptionsaremadeaboutthesecurityofthenetwork;itisassumedtobeopenandsubject335toactive(i.e.,impersonation,man-in-the-middle,sessionhijacking)andpassive(i.e.,336eavesdropping)attackatanypointbetweentheParticipants(e.g.,claimant,verifier,CSPorRP).337338Nonce:Avalueusedinsecurityprotocolsthatisneverrepeatedwiththesamekey.For339example,noncesusedaschallengesinchallenge-responseauthenticationprotocolsmustnot340berepeateduntilauthenticationkeysarechanged.Otherwise,thereisapossibilityofareplay341attack.Usinganonceasachallengeisadifferentrequirementthanarandomchallenge,342becauseanonceisnotnecessarilyunpredictable.343344


10

Off-lineAttack:Anattackwheretheattackerobtainssomedata(typicallybyeavesdroppingon345anauthenticationprotocolrunorbypenetratingasystemandstealingsecurityfiles)that346he/sheisabletoanalyzeinasystemofhis/herownchoosing.347348OnlineAttack:Anattackagainstanauthenticationprotocolwheretheattackereitherassumes349theroleofaclaimantwithagenuineverifieroractivelyalterstheauthenticationchannel.350351OnlineGuessingAttack:Anattackinwhichanattackerperformsrepeatedlogontrialsby352guessingpossiblevaluesoftheauthenticatoroutput.353354OperationalAuthority:Entityresponsibleforoperations,maintenance,management,and355relatedfunctionsofanIdentityTrustFramework.356357ParticipantRequirements:AsetofrulesandpoliciesinanIdentityTrustFrameworkaddressing358identity,security,privacy,technology,andenforcement,whichareassignedtoeachmember359typeinaDigitalIdentitySystem.MembertypesincludeRegistrationAuthorities(RAs),Identity360Providers(IdPs),CredentialServiceProviders(CSPs),Verifiers,andRelyingParties(RPs).361[§59.1-550,COV]362363PassiveAttack:Anattackagainstanauthenticationprotocolwheretheattackerinterceptsdata364travelingalongthenetworkbetweentheclaimantandverifier,butdoesnotalterthedata(i.e.,365eavesdropping).366367Password:Asecretthataclaimantmemorizesandusestoauthenticatehisorheridentity.368Passwordsaretypicallycharacterstrings.369370PersonalIdentificationNumber(PIN):Apasswordconsistingonlyofdecimaldigits.371372PersonalIdentityVerification(PIV)Card:Definedby[FIPS201]asaphysicalartifact(e.g.,373identitycard,smartcard)issuedtofederalemployeesandcontractorsthatcontainsstored374credentials(e.g.,photograph,cryptographickeys,digitizedfingerprintrepresentation)sothat375theclaimedidentityofthecardholdercanbeverifiedagainstthestoredcredentialsbyanother376person(humanreadableandverifiable)oranautomatedprocess(computerreadableand377verifiable).378379PersonallyIdentifiableInformation(PII):AsdefinedbyOMBCircularA-130,Personally380IdentifiableInformationmeansinformationthatcanbeusedtodistinguishortracean381individual’sidentity,eitheraloneorwhencombinedwithotherinformationthatislinkedor382linkabletoaspecificindividual.383384Pharming:AnattackinwhichanattackercorruptsaninfrastructureservicesuchasDNS385(DomainNameService)causingtheSubscribertobemisdirectedtoaforgedverifier/RP,which386couldcausetheSubscribertorevealsensitiveinformation,downloadharmfulsoftwareor387contributetoafraudulentact.388


11

Phishing:AnattackinwhichtheSubscriberislured(usuallythroughanemail)tointeractwitha389counterfeitverifier/RPandtrickedintorevealinginformationthatcanbeusedtomasquerade390asthatSubscribertotherealverifier/RP.391392PhysicalIn-Person:MethodofIdentityProofinginwhichApplicantsarerequiredtophysically393presentthemselvesandidentityevidencetoarepresentativeoftheRegistrationAuthorityor394IdentityTrustFramework.[NISTSP800-63-2]395396Possessionandcontrolofanauthenticator:Theabilitytoactivateandusetheauthenticatorin397anauthenticationprotocol.398399PracticeStatement:AformalstatementofthepracticesfollowedbytheParticipantstoan400authenticationprocess(i.e.,RA,CSP,orverifier).Itusuallydescribesthepoliciesandpractices401oftheParticipantsandcanbecomelegallybinding.402403PrivateCredentials:CredentialsthatcannotbedisclosedbytheCSPbecausethecontentscan404beusedtocompromisetheauthenticator.405406PrivateKey:Thesecretpartofanasymmetrickeypairthatisusedtodigitallysignordecrypt407data.408409ProtectedSession:Asessionwhereinmessagesbetweentwoparticipantsareencryptedand410integrityisprotectedusingasetofsharedsecretscalledsessionkeys.Aparticipantissaidtobe411authenticatedif,duringthesession,he,sheoritprovespossessionofalongtermauthenticator412inadditiontothesessionkeys,andiftheotherParticipantcanverifytheidentityassociated413withthatauthenticator.Ifbothparticipantsareauthenticated,theprotectedsessionissaidto414bemutuallyauthenticated.415416PseudonymousIdentifier:Ameaningless,butuniquenumberthatdoesnotallowtheRPto417infertheSubscriberbutwhichdoespermittheRPtoassociatemultipleinteractionswiththe418Subscriber’sclaimedidentity.419420PublicCredentials:Credentialsthatdescribethebindinginawaythatdoesnotcompromisethe421authenticator.422423PublicKey:Thepublicpartofanasymmetrickeypairthatisusedtoverifysignaturesorencrypt424data.425426PublicKeyCertificate:Adigitaldocumentissuedanddigitallysignedbytheprivatekeyofa427CertificateauthoritythatbindsthenameofaSubscribertoapublickey.Thecertificate428indicatesthattheSubscriberidentifiedinthecertificatehassolecontrolandaccesstothe429privatekey.Seealso[RFC5280].430431


12

PublicKeyInfrastructure(PKI):Asetofpolicies,processes,serverplatforms,softwareand432workstationsusedforthepurposeofadministeringcertificatesandpublic-privatekeypairs,433includingtheabilitytoissue,maintain,andrevokepublickeycertificates.434435Registration:TheprocessthroughwhichanapplicantappliestobecomeaSubscriberofaCSP436andanRAvalidatestheidentityoftheapplicantonbehalfoftheCSP.437438RegistrationAuthority(RA):Atrustedentitythatestablishesandvouchesfortheidentityor439attributesofaSubscribertoaCSP.TheRAmaybeanintegralpartofaCSP,oritmaybe440independentofaCSP,butithasarelationshiptotheCSP(s).441442RelyingParty(RP):AnentitythatreliesupontheSubscriber’sauthenticator(s)andcredentials443oraverifier’sAssertionofaclaimant’sidentity,typicallytoprocessatransactionorgrantaccess444toinformationorasystem.445446Remote:(Asinremoteauthenticationorremotetransaction)Aninformationexchange447betweennetwork-connecteddeviceswheretheinformationcannotbereliablyprotectedend-448to-endbyasingleorganization’ssecuritycontrols.Note:Anyinformationexchangeacrossthe449Internetisconsideredremote.450451ReplayAttack:Anattackinwhichtheattackerisabletoreplaypreviouslycapturedmessages452(betweenalegitimateclaimantandaverifier)tomasqueradeasthatclaimanttotheverifieror453viceversa.454455RiskAssessment:Theprocessofidentifyingtheriskstosystemsecurityanddeterminingthe456probabilityofoccurrence,theresultingimpact,andadditionalsafeguardsthatwouldmitigate457thisimpact.PartofRiskManagementandsynonymouswithRiskAnalysis.458459Salt:Anon-secretvaluethatisusedinacryptographicprocess,usuallytoensurethatthe460resultsofcomputationsforoneinstancecannotbereusedbyanattacker.461462SecondaryAuthenticator:Atemporarysecret,issuedbytheverifiertoasuccessfully463authenticatedSubscriberaspartofanAssertionprotocol.Thissecretissubsequentlyused,by464theSubscriber,toauthenticatetotheRP.Examplesofsecondaryauthenticatorsincludebearer465Assertions,Assertionreferences,andKerberossessionkeys.466467SecureSocketsLayer(SSL):Anauthenticationandsecurityprotocolwidelyimplementedin468browsersandwebservers.SSLhasbeensupersededbythenewerTransportLayerSecurity469(TLS)protocol;TLS1.0iseffectivelySSLversion3.1.470471SecurityAssertionMark-upLanguage(SAML):AnXML-basedsecurityspecificationdeveloped472bytheOrganizationfortheAdvancementofStructuredInformationStandards(OASIS)for473exchangingauthentication(andauthorization)informationbetweentrustedentitiesoverthe474Internet.475


13

SAMLAuthenticationAssertion:ASAMLAssertionthatconveysinformationfromaverifierto476anRPaboutasuccessfulactofauthenticationthattookplacebetweentheverifieranda477Subscriber.478479SessionHijackAttack:Anattackinwhichtheattackerisabletoinserthimselforherself480betweenaclaimantandaverifiersubsequenttoasuccessfulauthenticationexchangebetween481thelattertwoParticipants.TheattackerisabletoposeasaSubscribertotheverifierorvice482versatocontrolsessiondataexchange.Sessionsbetweentheclaimantandtherelying483Participantcanalsobesimilarlycompromised.484485SharedSecret:Asecretusedinauthenticationthatisknowntotheclaimantandtheverifier.486487SocialEngineering:Theactofdeceivinganindividualintorevealingsensitiveinformationby488associatingwiththeindividualtogainconfidenceandtrust.489490SpecialPublication(SP):AtypeofpublicationissuedbyNIST.Specifically,theSpecial491Publication800-seriesreportsontheInformationTechnologyLaboratory’sresearch,guidelines,492andoutreacheffortsincomputersecurity,anditscollaborativeactivitieswithindustry,493government,andacademicorganizations.494495StronglyBoundCredentials:Credentialsthatdescribethebindingbetweenauserand496authenticatorinatamper-evidentfashion.497498Subscriber:AParticipantwhohasreceivedacredentialorauthenticatorfromaCSP.499500SymmetricKey:Acryptographickeythatisusedtoperformboththecryptographicoperation501anditsinverse,forexampletoencryptanddecrypt,orcreateamessageauthenticationcode502andtoverifythecode.503504Token:SeeAuthenticator.505506TokenAuthenticator:SeeAuthenticatorOutput.507508TokenSecret:SeeAuthenticatorSecret.509510TransportLayerSecurity(TLS):Anauthenticationandsecurityprotocolwidelyimplementedin511browsersandwebservers.TLSisdefinedby[RFC5246].TLSissimilartotheolderSecure512SocketsLayer(SSL)protocol,andTLS1.0iseffectivelySSLversion3.1.NISTSP800-52,513GuidelinesfortheSelectionandUseofTransportLayerSecurity(TLS)Implementationsspecifies514howTLSistobeusedingovernmentapplications.515516TrustAnchor:Apublicorsymmetrickeythatistrustedbecauseitisdirectlybuiltintohardware517orsoftware,orsecurelyprovisionedviaout-of-bandmeans,ratherthanbecauseitisvouched518forbyanothertrustedentity(e.g.inapublickeycertificate).519


14

UnverifiedName:ASubscribernamethatisnotverifiedasmeaningfulbyIdentityProofing.520521Valid:InreferencetoanID,thequalityofnotbeingexpiredorrevoked.522523VerifiedName:ASubscribernamethathasbeenverifiedbyIdentityProofing.524525Verifier:Anentitythatverifiestheclaimant’sidentitybyverifyingtheclaimant’spossessionand526controlofoneortwoauthenticatorsusinganauthenticationprotocol.Todothis,theverifier527mayalsoneedtovalidatecredentialsthatlinktheauthenticator(s)andidentityandchecktheir528status.529530VerifierImpersonationAttack:Ascenariowheretheattackerimpersonatestheverifierinan531authenticationprotocol,usuallytocaptureinformationthatcanbeusedtomasqueradeasa532claimanttotherealverifier.533534VirtualIn-PersonProofing:Aremoteidentitypersonproofingprocessthatemploystechnical535andproceduralmeasuresthatprovidesufficientconfidencethattheremotesessioncanbe536consideredequivalenttoaphysical,in-personidentityproofingencounter.[NISTSP800-63A]537538WeaklyBoundCredentials:Credentialsthatdescribethebindingbetweenauserand539authenticatorinamannerthancanbemodifiedwithoutinvalidatingthecredential.540541Zeroize:Overwriteamemorylocationwithdataconsistingentirelyofbitswiththevaluezero542sothatthedataisdestroyedandnotrecoverable.Thisisoftencontrastedwithdeletion543methodsthatmerelydestroyreferencetodatawithinafilesystemratherthanthedataitself.544545Zero-knowledgePasswordProtocol:Apasswordbasedauthenticationprotocolthatallowsa546claimanttoauthenticatetoaVerifierwithoutrevealingthepasswordtotheverifier.Examples547ofsuchprotocolsareEKE,SPEKEandSRP. 548


15

6 Background549550In2015,Virginia’sGeneralAssemblypassedtheElectronicIdentityManagementAct(Chapter55150ofTitle59.1,CodeofVirginia)toaddressdemandinthestate’sdigitaleconomyforsecure,552privacyenhancingElectronicAuthenticationandidentitymanagement.Growingnumbersof553“communitiesofinterest”haveadvocatedforstronger,scalableandinteroperableidentity554solutionstoincreaseconsumerprotectionandreduceliabilityforprincipalactorsintheidentity555ecosystem–IdentityProviders,CredentialServiceProvidersandRelyingParties.556557ToaddressthedemandcontemplatedbytheElectronicIdentityManagementAct,theGeneral558AssemblyalsocreatedtheIdentityManagementStandardsAdvisoryCouncil(IMSAC)toadvise559theSecretaryofTechnologyontheadoptionofidentitymanagementstandardsandthe560creationofguidancedocuments,pursuantto§2.2-436.AcopyoftheIMSACCharterhasbeen561providedinAppendix1.562563TheAdvisoryCouncilrecommendstotheSecretaryofTechnologyguidancedocumentsrelating564to(i)nationallyrecognizedtechnicalanddatastandardsregardingtheverificationand565authenticationofidentityindigitalandonlinetransactions;(ii)theminimumspecificationsand566standardsthatshouldbeincludedinanIdentityTrustFramework,asdefinedin§59.1-550,so567astowarrantliabilityprotectionpursuanttotheElectronicIdentityManagementAct(§59.1-568550etseq.);and(iii)anyotherrelateddatastandardsorspecificationsconcerningrelianceby569thirdParticipantsonidentitycredentials,asdefinedin§59.1-550.570571PurposeStatement572573Thisguidancedocument,asdefinedin§2.2-4001,wasdevelopedbytheIdentityManagement574StandardsAdvisoryCouncil(IMSAC),onbehalfoftheSecretaryofTechnology,toprovide575informationorguidanceofgeneralapplicabilitytothepublicforinterpretingorimplementing576theElectronicIdentityManagementAct.Specifically,thedocumentestablishesminimum577specificationsforFederationandParticipantRequirementsinaDigitalIdentitySystem.The578minimumspecificationshavebeendesignedtobeconformantwithNISTSP800-63C.579580Thedocumentdefinesgovernancemodels,processes,assurancelevels,andParticipant581RequirementsforaFederatedDigitalIdentitySystem.Thedocumentassumesthatspecific582ParticipantRequirementswillbeestablishedintheIdentityTrustFrameworkforeachdistinct583DigitalIdentitySystem,andthattheserequirementswillbedesignedbasedontheElectronic584AuthenticationmodelandFederationAssuranceLevel(FAL)requirementsforthesystem.585586ThedocumentlimitsitsfocustoFederationandParticipantRequirements.Minimum587specificationsforothercomponentsofaDigitalIdentitySystemhavebeendefinedinseparate588IMSACguidancedocumentsinthisseries,pursuantto§2.2-436and§2.2-437.589590


16

7 MinimumSpecifications591592NationalInstituteofStandardsandTechnologySpecialPublication800-63-3(NISTSP800-63-3)593definesan“Federation”inaDigitalIdentitySystemas“Aprocessthatallowsforthe594conveyanceofidentityandauthenticationinformationacrossasetofnetworkedsystems.”12595FederationofaDigitalIdentitySystemdependsuponeachmember,orParticipant,inthe596systemcomplyingwithParticipantRequirements,thesetofrulesandpoliciesassignedtoeach597membertypebythesystem’sIdentityTrustFramework.598599ThisdocumentestablishesminimumspecificationsforFederationandParticipant600RequirementsinaDigitalIdentitySystemconformantwithNISTSP800-63-3.However,the601minimumspecificationsdefinedinthisdocumenthavebeendevelopedtoaccommodate602requirementsforFederationandParticipantRequirementsestablishedunderothernational603andinternationalstandards.13MinimumspecificationsforothercomponentsofaDigital604IdentitySystemhavebeendocumentedinseparateguidancedocumentsintheIMSACseries,605pursuantto§2.2-436and§2.2-437.606607ElectronicAuthenticationModel608609ElectronicAuthenticationistheprocessofestablishingconfidenceinindividualidentities610presentedtoaDigitalIdentitySystem.InaFederatedDigitalIdentitySystems,Electronic611Authenticationandrelatedflowsofidentityinformationoccuracrossasetofnetworksystems.612Thesesystemsareoftenrunandcontrolledbydisparatemembersindifferentnetworkand613securitydomains.Therefore,FederationrequiresElectronicAuthenticationmodelstobe614extendedtotakeintoaccounttherolesplayedbyeachmembertypeandthecorresponding615ParticipantRequirements.616617TheminimumspecificationsforFederationandParticipantRequirementsdefinedinthis618documentreflecttheElectronicAuthenticationmodelusedprimarilybygovernmentalentities.619MorecomplexmodelsthatseparatefunctionsamongabroaderrangeofParticipantsarealso620availableandmayhaveadvantagesinsomeclassesofapplications.Whileasimplermodel621servesasthebasisfortheseminimumspecifications,itdoesnotprecludemembersinDigital622IdentitySystemsfromseparatingthesefunctions.MinimumspecificationsfortheElectronic623AuthenticationmodelreflectedinthisdocumenthavebeendefinedinIMSACGuidance624Document:ElectronicAuthentication,andagraphicofthemodelhasbeenshowninFigure1.62512ThePublicReviewversionofNationalInstituteofStandardsandTechnologySpecialPublication800-63-3(NISTSP800-63-3)maybeaccessedathttps://pages.nist.gov/800-63-3/sp800-63-3.html.Atthetimeofthepublicationofthisdocument,NISTSP800-63-3wasstillunderdevelopment.However,thisdocumentmaybeupdated,asrecommendedbyIMSAC,followingthefinaladoptionandpublicationofNISTSP800-63-3.

13TheminimumspecificationsdefinedinthisdocumentalignwiththeStateIdentityCredentialandAccessManagement(SICAM)GuidanceandRoadmap,publishedbytheNationalAssociationofStateChiefInformationOfficers(NASCIO):http://www.nascio.org/Portals/0/Publications/Documents/SICAM.pdf;andtheIdentityEcosystemFramework(IDEF),publishedbytheIdentityEcosystemSteeringGroup(IDESG):https://www.idesg.org/The-ID-Ecosystem/Identity-Ecosystem-Framework/IDEF-Core-Documents.


0

Figure1.ElectronicAuthenticationModel626

627628Source:NISTSP800-63-3,accessibleathttps://pages.nist.gov/800-63-3/sp800-63-3.html629Note:Figure1illustratesthemodelforElectronicAuthenticationinaDigitalIdentitySystem,asdocumentedinNISTSP800-63-3(PublicReview),containingall630components,requirements,andspecificationsrecommendedbyIMSAC.However,theminimumspecificationsdefinedinthisdocumenthavebeendeveloped631toaccommodaterequirementsforAssertionsestablishedunderothernationalandinternationalstandards.632

633


1

Federation634635Federationisaprocessthatallowsfortheconveyanceofidentityandauthentication636informationacrossasetofnetworkedsystems.InaFederationscenario,theverifierorCSPis637knownastheidentityprovider,orIdP.Inthisdocument,therelyingParticipant,orRP,isthe638ParticipantthatreceivestheFederatedidentity.Figure2showsacommonFederationmodel.639640Figure2:FederationModel641642

643InaFederationprotocol,atriangleisformedbetweentheSubscriber,theIdP,andtheRP.644Dependingonthespecificsoftheprotocol,differentinformationpassesacrosseachlegofthe645triangleatdifferenttimes.TheSubscribercommunicateswithboththeIdPandtheRP,usually646throughawebbrowser.TheRPandtheIdPcommunicatewitheachother,thoughthis647communicationcanhappenoverthefrontchannel(throughredirectsinvolvingtheSubscriber),648overthebackchannel(throughadirectconnection),orviaapackagedinformationbundle649(suchasacryptographicallyprotectedandself-containedAssertions).650651TheSubscriberauthenticatestotheIdPusingsomeformofprimarycredential,andthenthat652authenticationeventisassertedtotheRPacrossthenetwork.TheIdPcanalsomakeattribute653statementsabouttheSubscriberaspartofthisprocess.Attributesandauthenticationevent654informationareusuallycarriedtotheRPthroughtheuseofanAssertion.Minimum655specificationsforAssertionshavebeendocumentedinIMSACGuidanceDocument:Digital656IdentityAssertions.657658TheRPcommunicationwiththeIdPrevealstotheIdPwheretheSubscriberisconductinga659transaction.CommunicationsfrommultipleRPsallowtheIdPtobuildaprofileofSubscriber660transactionsthatwouldnothaveexistedabsentFederation.Thisaggregationcouldenablenew661capabilitiesforSubscribertrackinganduseofprofileinformationthatdonotalignwiththe662privacyinterestsoftheSubscribers.663664


2

TheIdPmustnotdiscloseinformationonSubscriberactivitiesatanRPtoanyParticipant,nor665usetheinformationforanypurposeotherthanFederatedauthentication,tocomplywithlaw666orlegalprocess,orinthecaseofaspecificuserrequestfortheinformation.TheIdPSHOULD667employtechnicalmeasurestoprovideunlinkabilityandpreventSubscriberactivitytrackingand668profiling.AIdPmaydiscloseinformationonSubscriberactivitiestootherRPswithinthe669FederationforsecuritypurposessuchascommunicationofcompromisedSubscriberaccounts.670671FederationModels672673ThissectionprovidesanoverviewofafewcommonmodelsofidentityFederationcurrentlyin674use.Inthesemodels,arelationshipisestablishedbetweenParticipantsoftheFederationin675severaldifferentways.SomemodelsmandatethatallFederatedParticipantshaveanequally676highleveloftrust,whileothermodelsallowforParticipantswithadiversityofrelationships.677678CentralAuthority679SomeFederatedParticipantsdefertoacentralauthoritytomakedecisionsforthemandto680communicatemetadatabetweenParticipants.Inthismodel,thecentralauthoritygenerally681conductssomelevelofvettingoneachParticipantintheFederationtoverifycompliancewith682predeterminedsecurityandintegritystandards.683684MostFederationsusingthecentralauthoritymodelhaveasimplemembershipmodel-either685ParticipantsareintheFederationortheyarenot.However,moresophisticatedFederations686havemultipletiersofmembershipwhichcanbeusedbyFederatedParticipantstotellwhether687otherParticipantsintheFederationhavebeenmorethoroughlyvettedorhavesomecommon688purposethatjustifiesahigherlevelofaccess.Asaconsequence,someParticipantsinthe689FederationaremorelikelytoautomaticallyreleaseinformationabouttheirSubscriberstothe690Participantsinthehighertiers.691692ManualRegistration693InthemanualregistrationmodelofFederation,systemadministratorscommunicatemetadata694andtestsysteminteroperabilitybeforetransactionstakeplacebetweenusersoverthewire.695MetadataforeachParticipantwhowishestoparticipateismanuallyinputintoaregistryof696FederatedParticipants.EachParticipantmaintainstheirownregistryofotherParticipantswith697whomtheywishtofederate.698699ManualregistrationcantakeplaceonacasebycasebasiswithoutanyauthorityorFederation700operatorinplace.Inthiscase,apairwiserelationshipiscreatedbetweentheIdPandtheRP.701702Manualregistrationcanalsoworkinconcertwithacentralauthoritymodel.Inthiscase,a703registryispre-populatedwithParticipantsknowntothecentralauthority,andmore704Participantsareaddedmanuallyonanas-neededbasis.705706707708


3

DynamicRegistration709InthedynamicregistrationmodelofFederation,systemshaveawell-knownlocationwhere710othersystemscanfindtheirmetadata.TheyalsohavepredictableAPIendpointswherenew711systemscanregisterthemselveswithouthumaninvolvement.Systemsthatmakeuseof712dynamicregistrationSHOULDrequireverifiablehumaninteraction,suchastheapprovalofthe713identityFederationtransactionbytheauthenticatedSubscriberattheIdP.714715EachFederatedParticipantsetsattributeandinformationaccesspoliciesforotherFederated716Participants.Inadynamicregistrationenvironment,anewlyregisteredParticipantcouldbe717severelylimitedinitsaccessuntilsuchtimeasitisreviewedbyanauthorizedParticipant.For718instance,asystemadministratorcangranthigherlevelsofaccess.Additionally,adynamically719registeredParticipantwillusuallyalsorequireauthorizationfromaSubscriberduringthe720authenticationtransaction(seeRuntimeDecisions).721722Frequently,Participantsinadynamicregistrationmodelhavenowaytoknoweachotherahead723oftime.Asaconsequence,littleinformationaboutusersandsystemsisexchangedbydefault.724Thisproblemissomewhatmitigatedbyatechnologycalledsoftwarestatements,whichallow725FederatedParticipantstocryptographicallyverifysomeattributesoftheParticipantsinvolved726indynamicregistration.SoftwarestatementsarelistsofattributesdescribingtheRPsoftware,727cryptographicallysignedbycertifyingbodies.BecausebothParticipantstrustthecertifying728body,thattrustcanbeextendedtotheotherParticipantinthedynamicregistration729partnership.Thisallowstheconnectiontobeestablishedorelevatedbetweenthefederating730Participantswithoutrelyingonself-assertedattributesentirely.731732ProxiedFederation733InaproxiedFederationmodel,thecommunicationbetweentheIdPandtheRPisproxiedina734waythatpreventsdirectcommunicationbetweenthetwoParticipants.Theremaybemultiple735methodsofachievingthiseffect,butcommonconfigurationsincludeathirdParticipantthat736actsasaFederationproxy(or“broker”)oranetworkof“nodes”thatdistributethe737communications.Figure3showsaFederationproxymodel.738739Effectively,theParticipantsstillfunctioninsomedegreeasaFederationIdPononesideanda740FederationRPontheotherside.Notably,aFederationproxyactsasanIdPtoallFederatedRPs741andasanRPtoallFederatedIdPs.Therefore,allnormativerequirementsthatapplytoIdPsand742RPsSHALLapplytotheParticipantsofsuchasystemintheirrespectiveroles.743744 745


4

Figure3:FederationProxyModel746

747748AproxiedFederationmodelcanprovidevariousbenefits.Forexample,Federationproxiescan749enablesimplifiedtechnicalintegrationsbetweentheRPandIdPbyeliminatingtheneedfor750multiplepointtopointintegrations,whichcanbeonerousforprotocolswhichdonotsupport751dynamicregistration.Additionally,totheextentaproxiedFederationmodeleffectivelyblinds752theRPandIdPfromeachother,itcanprovidesomebusinessconfidentialityfororganizations753thatmaynotwishtorevealtheirSubscriberliststoeachother,aswellasmitigatesomeofthe754privacyrisksofpointtopointFederationdescribedabove.755756Whilesomeproxieddeploymentsoffernoadditionalprivacyprotection(suchasthosethat757existasintegrationpoints),otherscanoffervaryinglevelsofprivacytotheSubscriberthrough758arangeofblindingtechnologies.Itshouldbenotedthatevenwiththeuseofblinding759technologies,itmaystillbepossibleforablindedParticipanttodeduceSubscriberbehavior760patternsthroughanalysisoftimestamps,cookies,attributes,orattributebundlesizes.Privacy761policiesmaydictateappropriateusebytheIdP,RP,andtheFederationproxy,butblinding762technologycanincreaseeffectivenessofthesepoliciesbymakingthedatamoredifficultto763access.Itshouldalsobenotedthatasthelevelofblindingincreases,sodoesthetechnicaland764operationalimplementationcomplexity.765766Thefollowinglistdocumentsaspectrumofblindingimplementations:767

• TheFederationproxydoesnotblindtheRPandIdPfromoneanother.TheFederation768proxyisabletomonitorandtrackallSubscriberrelationshipsbetweentheRPsandIdPs,769andhasvisibilityintoanyattributesitistransmittingintheAssertions.770

• TheFederationproxydoesnotblindtheRPandIdPfromoneanother.TheFederation771proxyisabletomonitorandtrackallSubscriberrelationshipsbetweentheRPsandIdPs,772buthasnovisibilityintoanyattributesitistransmittingintheAssertions.773

• TheFederationproxyblindstheRPandIdPfromeachother.TheFederationproxyis774abletomonitorandtrackallSubscriberrelationshipsbetweentheRPsandIdPs,andhas775visibilityintoanyattributesitistransmittingintheAssertions.776

• TheFederationproxyblindstheRPandIdPfromeachother.TheFederationproxyis777abletomonitorandtrackallSubscriberrelationshipsbetweentheRPsandIdPs,buthas778novisibilityintoanyattributesitistransmittingintheAssertions.779

• TheFederationproxyblindstheRP,IdP,anditself.TheFederationproxycannotmonitor780ortrackanySubscriberrelationships,andhasnovisibilityintoanyattributesitis781transmittingintheAssertions.782

783


5

RuntimeDecisions784785ThefactthatFederatedParticipantsareknowntoeachotherthroughsomeformofregistration786orcentralizedmanagementdoesnotnecessarilymeantheyareallowedtopassinformation.787FederatedParticipantscanestablishwhitelistsofotherFederatedParticipantswhomay788authenticateSubscribersorpassinformationaboutthemwithoutruntimeauthorizationfrom789theSubscriber.790791FederatedParticipantsalsocanestablishblacklistsofotherFederatedParticipantswhomaynot792beallowedtopassinformationaboutSubscribersatall.EveryParticipantthatisnotona793whitelistorablacklistisplacedbydefaultinagrayareawhereruntimeauthorizationdecisions794willbemadebyanauthorizedParticipant,oftentheSubscriber.795796FederationAssuranceLevel797798ThissectiondefinesallowableFederationAssuranceLevels(FAL).TheFALdescribesaspectsof799theAssertionandFederationprotocolusedinagiventransaction.Theselevelscanbe800requestedbyanRPorrequiredbyconfigurationofbothRPandIdPforagiventransaction.801802TheFALcombinesaspectsofAssertionprotectionstrengthandAssertionpresentationintoa803single,increasingscaleapplicableacrossdifferentFederationmodels.Whilemanyother804combinationsoffactorsarepossible,thislistisintendedtoprovideclearimplementation805guidelinesrepresentingincreasinglysecuredeploymentchoices.Combinationsofaspectsnot806foundintheFALtablearepossiblebutoutsidethescopeofthisdocument.807808ExamplesofAssertionsProtocols:809

• SAMLAssertions–SecurityAssertionMarkupLanguage(SAML)Assertionsarespecified810usingamark-uplanguageintendedfordescribingsecurityAssertions.Theycanbeused811byaverifiertomakeastatementtoanRPabouttheidentityofaclaimant.SAML812assertionsmayoptionallybedigitallysigned.813

• OpenIDConnectClaims-OpenIDConnectarespecifiedusingJavaScriptObjectNotation814(JSON)fordescribingsecurity,andoptionally,userclaims.JSONuserinfoclaimsmay815optionallybedigitallysigned.816

• KerberosTickets–KerberosTicketsallowaticketgrantingauthoritytoissuesession817keystotwoauthenticatedpartiesusingbasedencapsulationschemes.818

819Table1presentsdifferentrequirementsdependingonwhethertheAssertionispresented820througheitherthefrontchannelorthebackchannel(viaanAssertionreference).Each821successivelevelsubsumesandfulfillsallrequirementsoflowerlevels.Federationspresented822throughaproxymustberepresentedbythelowestlevelusedduringtheproxiedtransaction.823824825826


6

Table1.FALRequirementsbyBack-Channelv.Front-ChannelAssertions827FAL Back-ChannelPresentationRequirement Front-ChannelPresentationRequirement1 BearerAssertion,asymmetricallysignedby

IdPBearerAssertion,asymmetricallysignedbyIdP

2 BearerAssertion,asymmetricallysignedbyIdP

BearerAssertion,asymmetricallysignedbyIdPandencryptedtoRP

3 BearerAssertion,asymmetricallysignedbyIdPandencryptedtoRP

BearerAssertion,asymmetricallysignedbyIdPandencryptedtoRP

4 HolderofkeyAssertion,asymmetricallysignedbyIdPandencryptedtoRP

HolderofkeyAssertion,asymmetricallysignedbyIdPandencryptedtoRP

828Forexample,FAL1mapstotheOpenIDConnectImplicitClientprofileortheSAMLWebSSO829profile,withnoadditionalfeatures.FAL2mapstotheOpenIDConnectBasicClientprofileor830theSAMLArtifactBindingprofile,withnoadditionalfeatures.831832FAL3additionallyrequiresthattheOpenIDConnectIDTokenorSAMLAssertionbeencrypted833toapublickeyrepresentingtheRPinquestion.FAL4requiresthepresentationofanadditional834keyboundtotheAssertion(forexample,theuseofacryptographicauthenticator)alongwith835allrequirementsofFAL3.NotethattheadditionalkeypresentedatFAL4neednotbethesame836keyusedbythesubscribertoauthenticatetotheIdP.837838Regardlessofwhatisrequestedorrequiredbytheprotocol,theapplicableFALiseasily839detectedbytheRPbyobservingthenatureoftheAssertionasitispresentedaspartofthe840Federationprotocol.Therefore,theRPisresponsiblefordeterminingwhichFALsitiswillingto841acceptforagivenauthenticationtransactionandensuringthatthetransactionmeetsthe842requirementsofthatFAL.843844ParticipantRequirements845846ThefollowingsectiondefinestheminimumspecificationsforParticipantRequirementsina847FederatedDigitalIdentitySystem.Theseminimumspecificationsbuilduponthetrust848agreementsdocumentedintheStateIdentityCredentialandAccessManagement(SICAM)849GuidanceandRoadmap,publishedbytheNationalAssociationofStateChiefInformation850Officers(NASCIO).851852ParticipantsincludeRegistrationAuthorities(RAs),IdentityProviders(IdPs),CredentialService853Providers(CSPs),Verifiers,andRelyingParties(RPs).Theseminimumspecificationsassume854thatspecificParticipantRequirementswillbeestablishedintheIdentityTrustFrameworkfor855eachDigitalIdentitySystem.Formoreinformation,seeIMSACGuidanceDocument:Identity856TrustFrameworks.857 858


7

RegistrationAuthorities(RAs)859RAsestablishandvouchfortheIdentityorAttributesofanApplicanttoaCSP.RAsmaybean860integralpartofaCSP,oritmaybeindependentofaCSP,butitmaintainsatrustedrelationship861totheCSP(s).PrimaryrequirementsforRAsincludethefollowing:862

• PerformPhysicalorVirtualIn-PersonProofingfunctionsonidentityevidencesubmitted863byanApplicantforaClaimedIdentity864

• VerifyandvalidateidentityevidencesubmittedbyanApplicanttosupportaClaimed865IdentityduringaRegistrationevent.866

• PerformRegistration(orenrollment)ofApplicantsforwhichtheClaimedIdentityhas867beenverified,validated,andaccepted868

• IssueanappropriateCredentialtoaregisteredSubscriberwhohascompletedthe869Registrationprocess870

• Manage,monitor,andaudittheusageofCredentialsbySubscriberswhohave871RegisteredwiththeRA872

• EstablishandimplementaprocesstorevokeaSubscriber’sCredentialintheeventof873improperuse,irregularities,orasecuritybreach874

• Managerequiredpost-issuanceupdatesormodificationstoaSubscriber’sCredential875basedonverifiedandvalidatedchangesintheClaimedIdentityoridentityevidence876

• Establishandimplementaprocesstore-issueaSubscriber’sCredentialwhencorrective877actionhasbeentakenortheidentityevidencehasbeenupdated878

879IdentityProviders(IdPs)880IdPsmanagetheSubscriber’sprimaryauthenticationCredentialsandissueAssertionsderived881fromthoseCredentials,generallytotheCSP.PrimaryrequirementsforIdPsincludethe882following:883

• Provideatrustmodelthatensuresthatanindividualislinkedtoidentitieswhichhave884beenissued,protected,andmanagedtoprovidetheaccuracyofassertedAttributes885

• DevelopandprovideanAuthenticationprocessbywhichtheuser(Subscriberor886Applicant)providesevidencetotheIdP,whoindependentlyverifiesthattheuseriswho887heorsheclaimstobe888

• Developaprocesstoperiodicallyreevaluatethestatusoftheuserandthevalidityofhis889orherassociatedIdentity890

• DevelopaprocessforAttributemanagementtoensurethetimelycancellationor891modificationofAttributesshouldtheuser’sstatuschange892

• DevelopaprocessforauditingtheAttributeidentificationprocess,includingregistration893activities,toensureAttributesaremaintainedinaccordancewiththeprocessspecified894bythatIdP895

• Conductauditfunctionsinamannertoidentifyanyirregularitiesorsecuritybreaches896• ProvidetotheFederationauditinformation,uponrequest897• Provideaprocesstoassistuserswhohaveeitherlostorforgottentheirmeansof898

Authentication899900 901


8

CredentialServiceProviders(CSPs)902CSPsissueorregisterSubscriberauthenticatorsandissueelectroniccredentialstoSubscribers.903TheCSPmayencompassRegistrationAuthorities(RAs)andverifiersthatitoperates.ACSPmay904beanindependentthirdparty,ormayissuecredentialsforitsownuse.Primaryrequirements905forCSPsincludethefollowing:906

• ValidateIdentityAssertionsthataresubmittedbyIdPsaspartofaservicerequest907• DefineAttributesthatIdPsmustpresentforaccesstotheservice908• RespondtoreceiptofvariousrequestorAssertionsbasedontheestablishedpolicy909• PerformauditsonmaintainedCredentialsandmakeauditinformationavailabletothe910

Federation,uponrequest911912Verifiers913VerifiersconfirmtheClaimant’sIdentitybyverifyingtheClaimant’spossessionandcontrolof914oneormoreAuthenticatorsusinganauthenticationprotocol.Primaryrequirementsfor915Verifiersincludethefollowing:916

• DevelopandimplementaprocesstovalidateCredentialslinkingAuthenticator(s)toa917Subscriber’sIdentity918

• PerformongoingmonitoringofSubscriberAuthenticator(s)919• Performauditsonverificationeventsandmakeauditinformationavailabletothe920

Federation,uponrequest921922RelyingParties923RPsaccepttheSubscriber’sAuthenticator(s)andCredentialsoraVerifier’sAssertionofa924Claimant’sIdentity,typicallytoprocessatransactionorgrantaccesstoinformation,network,925orInformationSystem.PrimaryrequirementsforRPsincludethefollowing:926

• Definepoliciesfeaturingfactorsusedinaccesscontrolorauthorizationdecisions927• DocumentauthorizationrequirementsbasedongoverningAssuranceModel928• Performauditsonmaintainedauthorizationeventsandmakeauditinformation929

availabletotheFederation,uponrequest930931932 933


9

PrivacyandSecurity935936Theminimumspecificationsestablishedinthisdocumentforprivacyandsecurityintheuseof937personinformationforElectronicAuthenticationapplytheFairInformationPracticePrinciples938(FIPPs).16TheFIPPshavebeenendorsedbytheNationalStrategyforTrustedIdentitiesin939Cyberspace(NSTIC)andNASCIOinitsSICAMGuidance.17940941TheminimumspecificationsalsoadheretotheIdentityEcosystemFramework(IDEF)Baseline942FunctionalRequirements(v.1.0)forprivacyandsecurity,adoptedbytheIdentityEcosystem943SteeringGroup(IDESG)inOctober2015(Appendix2).944945TheminimumspecificationsforAssertionsapplythefollowingFIPPs:946• Transparency:RAsandCSPsshouldbetransparentandprovidenoticetoApplicants947

regardingcollection,use,dissemination,andmaintenanceofpersoninformationrequired948duringtheRegistration,IdentityProofingandverificationprocesses.949

• IndividualParticipation:RAsandCSPsshouldinvolvetheApplicantintheprocessofusing950personinformationand,totheextentpracticable,seekconsentforthecollection,use,951dissemination,andmaintenanceofthatinformation.RAsandCSPsalsoshouldprovide952mechanismsforappropriateaccess,correction,andredressofpersoninformation.953

• PurposeSpecification:RAsandCSPsshouldspecificallyarticulatetheauthoritythatpermits954thecollectionofpersoninformationandspecificallyarticulatethepurposeorpurposesfor955whichtheinformationisintendedtobeused.956

• DataMinimization:RAsandCSPsshouldcollectonlythepersoninformationdirectly957relevantandnecessarytoaccomplishtheRegistrationandrelatedprocesses,andonly958retainthatinformationforaslongasnecessarytofulfillthespecifiedpurpose.959

• UseLimitation/MinimalDisclosure:RAsandCSPsshouldusepersoninformationsolelyfor960thepurposespecifiedinthenotice.Disclosureorsharingthatinformationshouldbelimited961tothespecificpurposeforwhichtheinformationwascollected.962

• DataQualityandIntegrity:RAsandCSPsshould,totheextentpracticable,ensurethat963personinformationisaccurate,relevant,timely,andcomplete.964

• Security:RAsandCSPsshouldprotectpersonalinformationthroughappropriatesecurity965safeguardsagainstriskssuchasloss,unauthorizedaccessoruse,destruction,modification,966orunintendedorinappropriatedisclosure.967

• AccountabilityandAuditing:RAsandCSPsshouldbeaccountableforcomplyingwiththese968principles,providingtrainingtoallemployeesandcontractorswhousepersoninformation,969andauditingtheactualuseofpersoninformationtodemonstratecompliancewiththese970principlesandallapplicableprivacyprotectionrequirements. 971

16Theterm“personinformation”referstoprotecteddataforpersonentities,governedbyApplicableLaw.ThisincludesPersonallyIdentifiableInformation(PII),ProtectedHealthInformation(PHI),FederalTaxInformation(FTI),ProtectedEducationRecords,andrelatedcategories.SpecificrequirementsfortheprivacyandsecurityofpersoninformationshouldbedefinedbytheIdentityTrustFrameworkfortheDigitalIdentitySystem.

17TheFIPPsendorsedbyNSTICmaybeaccessedathttp://www.nist.gov/nstic/NSTIC-FIPPs.pdf.TheFIPPspublishedinSICAMmaybeaccessedathttp://www.nascio.org/Portals/0/Publications/Documents/SICAM.pdf.


10

Appendix1.IMSACCharter972 973

COMMONWEALTHOFVIRGINIA974IDENTITYMANAGEMENTSTANDARDSADVISORYCOUNCIL975

CHARTER976977

AdvisoryCouncilResponsibilities(§2.2-437.A;§2.2-436.A)978979TheIdentityManagementStandardsAdvisoryCouncil(theAdvisoryCouncil)advisesthe980SecretaryofTechnologyontheadoptionofidentitymanagementstandardsandthecreationof981guidancedocumentspursuantto§2.2-436.982983TheAdvisoryCouncilrecommendstotheSecretaryofTechnologyguidancedocumentsrelating984to(i)nationallyrecognizedtechnicalanddatastandardsregardingtheverificationand985authenticationofidentityindigitalandonlinetransactions;(ii)theminimumspecificationsand986standardsthatshouldbeincludedinanIdentityTrustFramework,asdefinedin§59.1-550,so987astowarrantliabilityprotectionpursuanttotheElectronicIdentityManagementAct(§59.1-988550etseq.);and(iii)anyotherrelateddatastandardsorspecificationsconcerningrelianceby989thirdParticipantsonidentitycredentials,asdefinedin§59.1-550.990991MembershipandGovernanceStructure(§2.2-437.B)992993TheAdvisoryCouncil’smembershipandgovernancestructureisasfollows:9941. TheAdvisoryCouncilconsistsofsevenmembers,tobeappointedbytheGovernor,with995

expertiseinelectronicidentitymanagementandinformationtechnology.Membersinclude996arepresentativeoftheDepartmentofMotorVehicles,arepresentativeoftheVirginia997InformationTechnologiesAgency,andfiverepresentativesofthebusinesscommunitywith998appropriateexperienceandexpertise.Inadditiontothesevenappointedmembers,the999ChiefInformationOfficeroftheCommonwealth,orhisdesignee,mayalsoserveasanex1000officiomemberoftheAdvisoryCouncil.10011002

2. TheAdvisoryCouncildesignatesoneofitsmembersaschairman.100310043. MembersappointedtotheAdvisoryCouncilservefour-yearterms,subjecttothepleasure1005

oftheGovernor,andmaybereappointed.100610074. Membersservewithoutcompensationbutmaybereimbursedforallreasonableand1008

necessaryexpensesincurredintheperformanceoftheirdutiesasprovidedin§2.2-2825.100910105. StafftotheAdvisoryCouncilisprovidedbytheOfficeoftheSecretaryofTechnology.10111012 1013


11

Theformation,membershipandgovernancestructurefortheAdvisoryCouncilhasbeen1014codifiedpursuantto§2.2-437.A,§2.2-437.B,ascitedaboveinthischarter.10151016Thestatutoryauthorityandrequirementsforpublicnoticeandcommentperiodsforguidance1017documentshavebeenestablishedpursuantto§2.2-437.C,asfollows:10181019C.Proposedguidancedocumentsandgeneralopportunityfororalorwrittensubmittalsasto1020thoseguidancedocumentsshallbepostedontheVirginiaRegulatoryTownHallandpublished1021intheVirginiaRegisterofRegulationsasageneralnoticefollowingtheprocessesand1022proceduressetforthinsubsectionBof§2.2-4031oftheVirginiaAdministrativeProcessAct(§10232.2-4000etseq.).TheAdvisoryCouncilshallallowatleast30daysforthesubmissionofwritten1024commentsfollowingthepostingandpublicationandshallholdatleastonemeetingdedicated1025tothereceiptoforalcommentnolessthan15daysafterthepostingandpublication.The1026AdvisoryCouncilshallalsodevelopmethodsfortheidentificationandnotificationofinterested1027Participantsandspecificmeansofseekinginputfrominterestedpersonsandgroups.The1028AdvisoryCouncilshallsendacopyofsuchnotices,comments,andotherbackgroundmaterial1029relativetothedevelopmentoftherecommendedguidancedocumentstotheJointCommission1030onAdministrativeRules.103110321033ThischarterwasadoptedbytheAdvisoryCouncilatitsmeetingonDecember7,2015.Forthe1034minutesofthemeetingandrelatedIMSACdocuments,visit:1035https://vita.virginia.gov/About/default.aspx?id=6442474173 1036


12

Appendix2.IDESGIdentityEcosystemFramework(IDEF)Baseline1037

FunctionalRequirements(v.1.0)forPrivacyandSecurity10381039PRIVACY-1.DATAMINIMIZATION1040EntitiesMUSTlimitthecollection,use,transmissionandstorageofpersonalinformationtothe1041minimumnecessarytofulfillthattransaction’spurposeandrelatedlegalrequirements.Entities1042providingclaimsorattributesMUSTNOTprovideanymorepersonalinformationthanwhatis1043requested.Wherefeasible,IDENTITY-PROVIDERSMUSTprovidetechnicalmechanismsto1044accommodateinformationrequestsofvariablegranularity,tosupportdataminimization.10451046PRIVACY-2.PURPOSELIMITATION1047EntitiesMUSTlimittheuseofpersonalinformationthatiscollected,used,transmitted,or1048storedtothespecifiedpurposesofthattransaction.Persistentrecordsofcontracts,assurances,1049consent,orlegalauthorityMUSTbeestablishedbyentitiescollecting,generating,using,1050transmitting,orstoringpersonalinformation,sothattheinformation,consistentlyisusedin1051thesamemanneroriginallyspecifiedandpermitted.10521053PRIVACY-3.ATTRIBUTEMINIMIZATION1054EntitiesrequestingattributesMUSTevaluatetheneedtocollectspecificattributesina1055transaction,asopposedtoclaimsregardingthoseattributes.Whereverfeasible,entitiesMUST1056collect,generate,use,transmit,andstoreclaimsaboutUSERSratherthanattributes.Wherever1057feasible,attributesMUSTbetransmittedasclaims,andtransmittedcredentialsandidentities1058MUSTbeboundtoclaimsinsteadofactualattributevalues.10591060PRIVACY-4.CREDENTIALLIMITATION1061EntitiesMUSTNOTrequestUSERS’credentialsunlessnecessaryforthetransactionandthen1062onlyasappropriatetotheriskassociatedwiththetransactionortotheriskstotheParticipants1063associatedwiththetransaction.10641065PRIVACY-5.DATAAGGREGATIONRISK1066EntitiesMUSTassesstheprivacyriskofaggregatingpersonalinformation,insystemsand1067processeswhereitiscollected,generated,used,transmitted,orstored,andwhereverfeasible,1068MUSTdesignandoperatetheirsystemsandprocessestominimizethatrisk.EntitiesMUST1069assessandlimitlinkagesofpersonalinformationacrossmultipletransactionswithoutthe1070USER'sexplicitconsent.10711072PRIVACY-6.USAGENOTICE1073EntitiesMUSTprovideconcise,meaningful,andtimelycommunicationtoUSERSdescribinghow1074theycollect,generate,use,transmit,andstorepersonalinformation.10751076PRIVACY-7.USERDATACONTROL1077EntitiesMUSTprovideappropriatemechanismstoenableUSERStoaccess,correct,anddelete1078personalinformation.1079


13

PRIVACY-8.THIRD-PARTYLIMITATIONS1080WhereverUSERSmakechoicesregardingthetreatmentoftheirpersonalinformation,those1081choicesMUSTbecommunicatedeffectivelybythatentitytoanyTHIRD-PARTIEStowhichit1082transmitsthepersonalinformation.10831084PRIVACY-9.USERNOTICEOFCHANGES1085EntitiesMUST,uponanymaterialchangestoaserviceorprocessthataffectstheprioror1086ongoingcollection,generation,use,transmission,orstorageofUSERS’personalinformation,1087notifythoseUSERS,andprovidethemwithcompensatingcontrolsdesignedtomitigateprivacy1088risksthatmayarisefromthosechanges,whichmayincludeseekingexpressaffirmativeconsent1089ofUSERSinaccordancewithrelevantlaworregulation.10901091PRIVACY-10.USEROPTIONTODECLINE1092USERSMUSThavetheopportunitytodeclineRegistration;declinecredentialprovisioning;1093declinethepresentationoftheircredentials;anddeclinereleaseoftheirattributesorclaims.10941095PRIVACY-11.OPTIONALINFORMATION1096EntitiesMUSTclearlyindicatetoUSERSwhatpersonalinformationismandatoryandwhat1097informationisoptionalpriortothetransaction.10981099PRIVACY-12.ANONYMITY1100Whereverfeasible,entitiesMUSTutilizeidentitysystemsandprocessesthatenable1101transactionsthatareanonymous,anonymouswithvalidatedattributes,pseudonymous,or1102whereappropriate,uniquelyidentified.Whereapplicabletosuchtransactions,entities1103employingserviceprovidersorintermediariesMUSTmitigatetheriskofthoseTHIRD-PARTIES1104collectingUSERpersonalinformation.OrganizationsMUSTrequestindividuals’credentialsonly1105whennecessaryforthetransactionandthenonlyasappropriatetotheriskassociatedwiththe1106transactionoronlyasappropriatetotheriskstotheParticipantsassociatedwiththe1107transaction.11081109PRIVACY-13.CONTROLSPROPORTIONATETORISK1110ControlsontheprocessingoruseofUSERS'personalinformationMUSTbecommensuratewith1111thedegreeofriskofthatprocessingoruse.AprivacyriskanalysisMUSTbeconductedby1112entitieswhoconductdigitalidentitymanagementfunctions,toestablishwhatrisksthose1113functionsposetoUSERS'privacy.11141115PRIVACY-14.DATARETENTIONANDDISPOSAL1116EntitiesMUSTlimittheretentionofpersonalinformationtothetimenecessaryforproviding1117andadministeringthefunctionsandservicestoUSERSforwhichtheinformationwascollected,1118exceptasotherwiserequiredbylaworregulation.Whennolongerneeded,personal1119informationMUSTbesecurelydisposedofinamanneraligningwithappropriateindustry1120standardsand/orlegalrequirements.11211122PRIVACY-15.ATTRIBUTESEGREGATION1123


14

Whereverfeasible,identifierdataMUSTbesegregatedfromattributedata.1124SECURE-1.SECURITYPRACTICES1125EntitiesMUSTapplyappropriateandindustry-acceptedinformationsecuritySTANDARDS,1126guidelines,andpracticestothesystemsthatsupporttheiridentityfunctionsandservices.11271128SECURE-2.DATAINTEGRITY1129EntitiesMUSTimplementindustry-acceptedpracticestoprotecttheconfidentialityand1130integrityofidentitydata—includingauthenticationdataandattributevalues—duringthe1131executionofalldigitalidentitymanagementfunctions,andacrosstheentiredatalifecycle1132(collectionthroughdestruction).11331134SECURE-3.CREDENTIALREPRODUCTION1135EntitiesthatissueormanagecredentialsandtokensMUSTimplementindustry-accepted1136processestoprotectagainsttheirunauthorizeddisclosureandreproduction.11371138SECURE-4.CREDENTIALPROTECTION1139EntitiesthatissueormanagecredentialsandtokensMUSTimplementindustry-accepteddata1140integritypracticestoenableindividualsandotherentitiestoverifythesourceofcredentialand1141tokendata.11421143SECURE-5.CREDENTIALISSUANCE1144EntitiesthatissueormanagecredentialsandtokensMUSTdosoinamannerdesignedto1145assurethattheyaregrantedtotheappropriateandintendedUSER(s)only.WhereRegistration1146andcredentialissuanceareexecutedbyseparateentities,proceduresforensuringaccurate1147exchangeofRegistrationandissuanceinformationthatarecommensuratewiththestated1148assurancelevelMUSTbeincludedinbusinessagreementsandoperatingpolicies.11491150SECURE-6.CREDENTIALUNIQUENESS1151EntitiesthatissueormanagecredentialsMUSTensurethateachaccounttocredentialpairingis1152uniquelyidentifiablewithinitsnamespaceforauthenticationpurposes.11531154SECURE-7.TOKENCONTROL1155EntitiesthatauthenticateaUSERMUSTemployindustry-acceptedsecureauthentication1156protocolstodemonstratetheUSER'scontrolofavalidtoken.11571158SECURE-8.MULTIFACTORAUTHENTICATION1159EntitiesthatauthenticateaUSERMUSTofferauthenticationmechanismswhichaugmentorare1160alternativestoapassword.11611162SECURE-9.AUTHENTICATIONRISKASSESSMENT1163EntitiesMUSThaveariskassessmentprocessinplacefortheselectionofauthentication1164mechanismsandsupportingprocesses.116511661167


15

1168SECURE-10.UPTIME1169EntitiesthatprovideandconductdigitalidentitymanagementfunctionsMUSThaveestablished1170policiesandprocessesinplacetomaintaintheirstatedassurancesforavailabilityoftheir1171services.11721173SECURE-11.KEYMANAGEMENT1174EntitiesthatusecryptographicsolutionsaspartofidentitymanagementMUSTimplementkey1175managementpoliciesandprocessesthatareconsistentwithindustry-acceptedpractices.11761177SECURE-12.RECOVERYANDREISSUANCE1178EntitiesthatissuecredentialsandtokensMUSTimplementmethodsforreissuance,updating,1179andrecoveryofcredentialsandtokensthatpreservethesecurityandassuranceoftheoriginal1180Registrationandcredentialingoperations.11811182SECURE-13.REVOCATION1183EntitiesthatissuecredentialsortokensMUSThaveprocessesandproceduresinplaceto1184invalidatecredentialsandtokens.11851186SECURE-14.SECURITYLOGS1187EntitiesconductingdigitalidentitymanagementfunctionsMUSTlogtheirtransactionsand1188securityevents,inamannerthatsupportssystemauditsand,wherenecessary,security1189investigationsandregulatoryrequirements.Timestampsynchronizationanddetailoflogs1190MUSTbeappropriatetothelevelofriskassociatedwiththeenvironmentandtransactions.11911192SECURE-15.SECURITYAUDITS1193EntitiesMUSTconductregularauditsoftheircompliancewiththeirowninformationsecurity1194policiesandprocedures,andanyadditionalrequirementsoflaw,includingareviewoftheir1195logs,incidentreportsandcredentiallossoccurrences,andMUSTperiodicallyreviewthe1196effectivenessoftheirpoliciesandproceduresinlightofthatdata.11971198