Transport and Security Standards Work GroupNew Directions In IdentityPaul GrassiSenior Standards and Technology Advisor

2

Existing Challenges

Well-rounded pilots hitting diverse user set

FCCX Goes Live

Market Discovery

Attribute Providers

Internet of Things

Consumer-Centric

Deployment Costs

Standards Gaps

Embedded Privacy

Identification of policy and technical overlays

NSTICLaunch

IDESustaining

2012 2013 2014 2015

Envision It!?

True Interoperability

RP Integration + CostPublic and Private Sectors

LiabilityAttributes

3

Envision It (soon we hope)!

But we have partially realized so many - http://www.whitehouse.gov/sites/default/files/rss_viewer/NSTICstrategy_041511.pdf

4

But We Are Getting Closer

NIST Coverage of Identity Services

5

Key

No coverage

Partial coverage, toinclude other D/Adocumentation

Full coverage

Needs refreshing

6

Where We Will Focus in FY14/15

Codify privacy enhancing profiles

Enhance/Establish ‘standard’ to establish confidence, trustworthiness, and privacy preservation (zero knowledge, derived, minimal disclosure)

Address portability of preferred credentials and relying party accounts

BYOI

Revisit and retool existing standards to address current market state and flex to innovation

Develop new standards that increase IE participation

Increase participation in commercial open standards

Mobility, Cloud, Shared Services

Simplify, accelerate, and reduce the cost of ICAM implementations

Focus beyond the PIV

Establish RP toolkits

Identify and foster innovation from untapped sources

IOT Identity Non-intrusive

security model Continuous

monitoring and assessment

7

Assurance – What Would You Think If?

Componentized Trust and Assurance Elementsand Supported Assembly of ‘Vectors of Trust’

NIST just measured authenticationperformance/strength/usability?

Got rid of LOA?

What else could we do to turn thesedocs on their head to enhance the IE?

Developed a private sector companionto 800-63?

Vectors of Trust – Discussion Example

8

Identity Proofing [IP]

Assertion Presentation

[AP]

Credential Strength [CS]

Binding [B]

IP[ ]CS[ ]AP[ ]B[ ]

Provider 1

CS[ ]AP[ ]B[ ]

Provider 2

IP[ ]Provider 3

Relying Party Risk Tolerance

Individual Choice

DISCUSSION ONLY – CONCEPTUAL FOR ILLUSTRATION AND PROVOCATION

PURPOSES

New Standard? Market/Trust Framework Driven

Levels Provider Supported Components and Levels

… …

9

Other Components?

Reputation of subjectReputation of IdPAdditional external claims (presumablysigned by third party)Heuristic Compensating ControlsEndpoint Security

Trusted Identiti

es

Organization

Maturity

Business Process Legal

Other

LiabilityContractual strength

Account recoveryCredential revocation

Incident responseOpSec

Do Nothing

Address RootCauses

Let RP’s Decide

Attributes – What Should Happen?

10

Meta-Attribute

Confidence/Truthiness

Liability

Security and Privacy

Governance

Exchange

Informs

Dependent Standards

Performance Metrics

Risk Tolerance

Market

Attribute Registries

ORInclude

attributes in next ‘800-63’

11

Privacy By Design

12345

ABCDDDEE

User Record

CSP

Agency 1

AADDFEE Agency 2

ABCDE

AADDFEE

Designed specifically to ensure that privacy requirements of anonymity, unlinkability and unobservability are built in from the start

In simple terms, this means that private organizations that issue citizens credentials – and the agencies that accept them – will have no way to track where citizens use them.

12345

ABCDDDEE

But…

Attributes flow freely through FCCX

If they didn’t, RP’s would get them on their own (inconsistently)

“Let the RP Figure It Out” is the wrong answer!

12

So...We Need A Privacy Profile

BrokerAuthentication RequestAuthentication Request

Response + Encrypted Attributes

Double BlindArchitecture

RelyingParty

CSP

User Consent

AttributeProvider

Response + Encrypted Attributes

1CSP/AP can’t know the RP

2Broker can’t seethe attributes

3Standard and Protocol Agnostic

4RP can’t know CSP

5Minimal Changes to Infrastructure

(but we may soften this requirement)

13

In SummaryRebooting and Reinvigorating Our Commitment to Identity and

Access Management

We Are Not Special

We Need to Adopt Private Sector Identity Innovation

We All Need to Stop Talking Amongst Ourselves

RP’s and Users Rule

Be On The Lookout For Upcoming Public/Private Engagement Opportunities

14

Contact Information

United States Department of CommerceNational Institute of Standards and Technology

Paul Grassi, CISSPSenior Standards and TechnologyAdvisor, NSTIC

Information Technology Laboratory

1401 Constitution Ave. NW, Rm. 2069Washington, DC 20230W: 202.482.8349M: 703.786.8275Email: paul.grassi@nist.gov