Presentation from Internet Identity Workshop, May 2011 on ways that Level of Assurance can be adapted to better mesh with the National Strategy for Trusted Identities in Cyberspace (NSTIC). More discussion is at http://blogs.cisco.com/security/adapting-levels-of-assurance-for-the-nstic/

1. Adapting Levels of Assurance for NSTIC Jim Fenton <fenton@cisco.com>

2. LOA Requirements (M-04-04) “E-Authentication Guidance for Federal Agencies” Dated December 16,2003 Issued by Office of Management and Budget Specifies four levels of assurance and when they should be used

3. M-04-04 Levels of Assurance An indicator of risk/value of the transaction Drives authentication and identity proofing requirements

4. Impact of Authentication Errors Impacts consider both potential harm and likelihood Categories: Inconvenience, distress, or damage to standing or reputation Financial loss or agency liability Harm to agency programs or public interests Unauthorized release of sensitive information Personal safety Civil or criminal violations Degree of impact Low, Moderate, or High within each category Severity and duration of effect

5. Maximum Potential Impacts by Assurance Level

6. NIST SP 800-63 “Electronic Authentication Guideline” Issued April 2006 (v1.0.2) by NIST Technical guidelines for how authentication should be done in response to M-04-04 Currently being revised by NIST

7. SP 800-63 Requirements Observation: A lot of existing authentication is done in plaintext We are at level 0! Question: Is proofing an authentication issue or an attribute issue?

8. Attribute and “Identity” Providers NSTIC distinguishes between “Identity” and Attribute Providers Identity Providers authenticate and provide authentication assertions Pseudonymity implies that other assertions don’t automatically come with authentication Proposal: Fully separate authentication from all other attributes IdP provides referrals to attribute services Question: Isn’t identity proofing an attribute provider, not an authentication requirement? Suggesting separation of proofing from authentication requirements in SP 800-63 revision

9. How does this work? Effective LOA = min(LOA of authentication, accredited LOA of authentication provider, LOA of attribute binding, accredited LOA of attribute provider) LOA of attribute binding is determined by (lesser of): Attribute provider’s confidence in attribute LOA of authentication used at enrollment with provider Effective LOA maps to M-04-04 requirements

10. Why do we Care? Identity Providers are the users’ agents in the identity world Require the most trust from the user Therefore user choice is important Removing the proofing requirement enables many more IdPs Can issue LOA 4 hardware token without in-person transaction An arms-length relationship between credential and attribute providers is good for privacy

11. References OMB M-04-04, “E-Authentication Guidance for Federal Agencies”: http://www.whitehouse.gov/sites/default/files/omb/memoranda/fy04/m04-04.pdf NIST Special Publication 800-63, “Electronic Authentication Guideline” http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf My blog series on NSTIC (will be addressing this) http://blogs.cisco.com/tag/nstic-series/