ITU-T X.1254 | ISO/IEC 29115

advertisement
ITU-T X.1254 | ISO/IEC 29115
An Overview of the
Entity Authentication
Assurance Framework
Current Status
• Goal is 2012 publication of
X.1254|ISO/IEC 29115 by both SDO’s
• Currently
– Undergoing balloting at ISO for Draft
International Standard (DIS)
– Expected to be “Determined” at ITU-T in
February
• ITU-T Editor: Dick Brackney, Microsoft
• ISO Editor: Erika McCallister, NIST
Background
• Challenge: Protect system security and
individual privacy during e-authenication over
open networks.
• Approach: Provide an appropriate level of
assurance for those transactions that require eauthentication.
• Based on NIST SP 800-63, e-Authentication
Guidelines, June 2006
• Implementation: Five Step Process
Five Step Process
• Conduct Risk Assessment
• Map identified risks to appropriate
assurance level
• Select appropriate controls
• Validate that the implemented controls
has met the required assurance level.
• Periodically re-assess to determine
technology refresh requirements
Contents
1.
Scope
2.
3.
4.
5.
Normative References
Definitions
Abbreviations
Conventions
6.
7.
8.
Levels of Assurance
Actors
Entity Authentication Assurance Framework
Phases
9. Management and Organizational Considerations
10. Threats and Controls
11. Service Assurance Criteria
Clause 1 - Scope
• This Recommendation | International Standard provides
a framework for managing entity authentication
assurance in a given context. In particular, it:
– specifies four levels of entity authentication assurance;
– specifies criteria and guidelines for achieving each of the four
levels of entity authentication assurance;
– provides guidance for mapping other authentication assurance
schemes to the four LoAs;
– provides guidance for exchanging the results of authentication
that are based on the four LoAs; and
– provides guidance concerning controls that should be used to
mitigate authentication threats.
Clause 6 - LoAs
• Describes 4 Levels of Assurance (LoAs)
Level
Description
1 – Low
Little or no confidence in the asserted identity
2 – Medium
Some confidence in the asserted identity
3 – High
High confidence in the asserted identity
4 – Very high
Very high confidence in the asserted identity
Clause 7 - Actors
•
•
•
•
•
•
Entity
Credential Service Provider (CSP)
Registration Authority (RA)
Relying Party (RP)
Verifier
Trusted Third Party (TTP)
Clause 8 - EEAF
Normative
Enrolment
phase
Credential
management
phase
Entity
authentication
phase
Management
&
Informative
Organizational
Technical
• Application and initiation
• Identity proofing
• Identity verification
• Credential creation
• Credential pre-processing
• Credential initialization
• Credential binding
• Credential issuance
• Credential activation
• Authentication
• Record-keeping
• Record-keeping
recording
• Registration
• Credential storage
• Credential suspension,
revocation, and/or
destruction
• Credential renewal
and/or replacement
• Record-keeping
• Service establishment
• Legal and contractual
compliance
• Financial provisions
• Information security
management and audit
• External service
components
• Operational infrastructure
• Measuring operational
capabilities
Clause 10 Threats
and Controls are
organized around
these processes
Clause 9 – Management and
Organizational Considerations
•
•
•
•
Service Establishment
Legal and Contractual Compliance
Financial Provisions
Information Security Management and
Audit
• External Service Components
• Operational Infrastructure
• Measuring Operational Capabilities
Clause 10 – Threats and Controls
• Organized by phase and process of the
EAAF
• For humans and non-person entities
(NPEs)
Clause 11 – Service Assurance
Criteria
• Trust framework operators that seek to comply
with this Framework shall establish specific
criteria fulfilling the requirements of each LoA
that they intend to support and shall assess the
CSPs that claim compliance with the Framework
against those criteria. Likewise, CSPs shall
determine the LoA at which their services
comply with this Framework by evaluating their
overall business processes and technical
mechanisms against specific criteria.
Questions?
• Contact Information
– ITU-T Editor: Dick Brackney
• dibrack@microsoft.com
– ISO Editor: Erika McCallister
• erika.mccallister@nist.gov
Download