Identity Assurance Framework

The Identity Assurance Framework (IAF) provides operational policies to assure Relying Parties, End-Users, Government Agencies and Industry Communities have confidence in a Federated Identity where an Identity Provider (IdP) issues credentials. The degree of confidence in Identity assurance is represented by a commonly agreed-upon "level of assurance." The IAF specifies the way IdPs have to run their services and how the IdPs are audited to ensure they are operating their services in conformance with their proclaimed level(s) of assurance and the stated terms of service.
The IAF is maintained by Kantara Initiative Identity Assurance Work Group and was used by several governments to derive local assurance frameworks and contributed to ISO/IEC 29115 and FIDIS.
History
* The U.S. federal government's GSA published OMB 0404 which required agencies to establish certain security criteria for remote authentication.
* NIST published the guideline SP 800-63 that recommended technical safeguards to implemente OMB 0404.
* The CAF was the next development step that derived from SP 800-63.
* The CAF was contributed to Liberty Alliance who extended it with supporting documents like a service assessment policy. The result is the Identity Assurance Framework.
* Kantara Initiative as successor of Liberty alliance is maintaining the document since 2010.
Contents
The IAF is a standardized approach that defines processes and procedures for IdPs, Relying Parties and Federation Operators to trust each others' credentials at known levels of assurance. The main components of the IAF are:
<ol>
<li> Assurance Level Criteria</li>
<li> Service and Credential Assessment Criteria</li>
<li> Accreditation and Certification Model, and</li>
<li> Associated Business Rules.</li>
</ol>
Assurance Level Criteria
Assurance Levels (ALs) are the levels of trust associated with a credential as measured by the associated technology, processes, and policy and practice statements. The IAF defers to the guidance provided by the [http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf U.S. National Institute of Standards and Technology (NIST) Special Publication 800-63 version 1.0.2 (NIST800-63)] which outlines four (4) levels of assurance, ranging in confidence level from low to very high. The level of assurance (LOA) provided is measured by the strength and rigor of the identity proofing process, the credential's strength, and the management processes the service provider applies to it. The IAF then goes on to describe the service assessment criteria at each AL for electronic trust services providing credential management services. The IAF has published a standard set of assurance levels regarding the authentication of the user (Level 1 means low assurance, Level 2 means medium assurance, and so on. As of today, there are 4 levels of assurance based on the NIST-standard levels of assurance, with Level 4 being the highest level). When a digital token is issued, it states the level of assurance at which the user was authenticated - Level 1 through Level 4. For example, one issuer may have used a RSA SecurID token in combination with Username-Password to issue a Level 2 token, while a second issuer may have used a biometric challenge in addition to a UserID-PIN to issue a Level 2 token. The RP receiving the token from both issuers simply knows that both tokens are Level 2, and doesn't know/need to know what the actual mechanics were, simply that an audit process certified that the mechanism for generating the token meets the criteria laid out by Liberty IAF.
On the Relying Party side, these same four Assurance Levels map to increasing levels of risk from hacking, data/identity theft, etc. In this way, Assurance Levels equate increased risk of harm to increased trust in the identities of the transaction participants.
The four Assurance Levels have been adopted by several governments like U.K., Canada, New Zealand U.S. and the EU for categorizing electronic identity trust levels for providing electronic government services.
Service and Credential Assessment Criteria
The Service and Credential Assessment Criteria section establishes baseline criteria for organizational conformity, identity proofing services, credential strength, and credential management services against which all Credential Service Providers (CSPs) will be evaluated. The IAF also establishes a protocol for publishing updates, as needed, to account for technological advances and preferred practice and policy updates.
These criteria set out the requirements that services and their providers must meet at all assurance levels within the Framework in order to receive Liberty accreditation. These criteria address increasingly strict requirements for the general business and organizational operations of services and their providers, increasingly stringent requirements for identity proofing services, and increasingly strict requirements of credential management services and their providers.
CSPs can determine the AL at which their services might qualify by evaluating their overall business processes and technical mechanisms against the Service Assessment Criteria. The Service Assessment Criteria within each AL are the basis for assessing and approving electronic trust services.
Key terms
*AL: Assurance Level--- the levels of trust associated with a credential as measured by the associated technology, processes, and policy and practice statements
*CSP: Credential Service Provider: a third party entity that authenticates identities for RPs
*IdP: Identity Provider---the entity that issues an identity credential, for example a the workplace network administrator, a social networking service, an online game administrator, a government entity
*RP: Relying Party---that entity that needs to be able to know to some degree that the presented electronic identity credential truly represents the individual named in the credential
 
< Prev   Next >