A Core Identity Standard Gets Revised
For a long time, a publication by NIST called Special Publication (SP) 800-63 Electronic Authentication Guideline has served as the reference standard describing processes that do basic identifying and authenticating to control access to applications (NIST is the National Institute of Standards and Technology). While specifically scoped to address government identity needs only, it has been adopted across sectors as a de facto standard and internationally. It covers many key issues, from establishing an identity and then binding it to an identifier, to how that identity authenticates to applications with security needs ranging from commonplace to very high. Virtually every InCommon participant has used NIST SP 800-63 as a basis for some of the business processes around institutional identity.
Unfortunately, over time NIST SP 800-63 has become out of date, not reflecting new technologies and approaches. To address that, NIST is now creating a new version of SP 800-63 that is remarkably novel in both its architecture and in its community engagement approach.
A word about that community engagement process. Law requires a certain public vetting process for revisions to federal regulations such as NIST SP 800-63, including publication in the Federal Register and written comment periods. In its approach to working with the community to refine the draft standard, NIST has created a “preview” process by placing the draft on Github (a major international open source repository). It is currently available there for open comment world-wide. NIST will enfold those comments into a next version that will then go through the formal review process described above.
Two things should be drawn from this approach: that it will be some time, and perhaps some change, until the new NIST SP 800-63 becomes operative; and that NIST has used a refreshing and open approach to creating the best possible standard. NIST has provided an overview of this process and various links on its website.