Core Identity Standard Moves to 90-Day Comment Period
Several months ago, the blog titled "A Core Identity Standard Gets Revised" noted that NIST was in the process of revising their twenty year-old "gold standard", known as the NIST Special Publication (SP) 800-63 Electronic Authentication Guideline specification. At the time, NIST had issued a preview of the document for informal comments. Now NIST has incorporated that informal feedback into SP 800-63 and begun a 90-day period for formal requests for comment.
The draft standard itself has changed significantly. For starters, its name is being changed from SP 800-63 to "Digital Identity Guidelines."
As before, NIST is employing modern approaches in interacting with the community, using Github as a communication vehicle. There are considerable changes between the preview and this draft, again reflecting the openness with which NIST is conducting their work. In addition, NIST is being responsive to international interests and use of the standard in their process and the resulting content. It is a commendable process.
The draft standard itself has changed significantly. For starters, its name is now "Digital Identity Guidelines", though us old-timers will continue to refer to it as 800-63. It has three sections:
- 800-63A (Enrollment and Identity Proofing)
- 800-63B (Authentication and Lifecycle Management)
- 800-63C (Federation and Assertions)
Each has changes with implications for the Internet2 community.
The Enrollment and Identity Proofing section is now fundamentally rethought from the old standard. From its former monolithic perspective, the view has evolved into distinct "vectors of trust" and there are some innovative approaches to each of those vectors. For example, there are now guidelines on how digital evidence, such as social media, can be used in the vector of identity proofing a physical individual.
The Authentication and Lifecycle management section is also significantly different, from refined biometrics requirements (to address new attacks on visual scans of facial images) to clarity about the use of SMS as a second factor.
But it is the Federation and Assertions section that may have the greatest impact for us. It is a completely new part of 800-63, developed to standardize the federated identity world that R&E helped create. The landscape 800-63C covers is quite large, a federated world that those of us at the start of Internet2 knew would become intricate if it was successful. The standard’s goal of orchestrating structure across a variety of federated protocols (such as SAML and OIDC), a variety of federated operators (from InCommon to Homeland Security to Google), and a variety of purposes (business to government, citizen to government, government to government, etc.) is daunting.
There are a significant number of technical recommendations, including specifics on the minimum contents of assertions, secure mechanisms for passing those assertions, and federated operators responsibilities for aggregating and sharing the encryption keys that secure a federated world. There are also a number of specific policy recommendations around privacy and usability. The privacy section addresses user notification and consent with points that require data minimization, fine-grain user controls, and minimizing tracking and profiling through careful management of identifiers. The usability section covers presentation issues, such as types of information to display versus hide, and context and informed content tools to help users sort through their roles and options for the consequences of their decisions.
The current version is still a draft; inputs from this formal comment period, ending March 31, 2017, will be enfolded into a final version, likely later this year. You are encouraged to provide individual feedback directly to NIST, and/or to contribute by March 15 to the aggregation of community feedback using the Trust and Identity Consultation wiki.
Given the changes between the preview and this new version, it is reasonable to expect that the final version of 800-63 may have further differences. Still, in the technical direction and the process, a community-leveraged initiative is effectively moving towards a new gold standard SP 800-63, one that may serve as long as the old one did.
GitHub is being used to collect comments on the Digital Identity Guidelines Draft. See a summary of the comment process.