ITUT X 1254 ISOIEC 29115 An Overview of

Current Status • Goal is 2012 publication of X. 1254|ISO/IEC 29115 by both SDO’s

Background • Challenge: Protect system security and individual privacy during e-authenication over open networks.

Five Step Process • Conduct Risk Assessment • Map identified risks to appropriate assurance

Contents 1. Scope 2. 3. 4. 5. Normative References Definitions Abbreviations Conventions 6. Levels

Clause 1 - Scope • This Recommendation | International Standard provides a framework for

Clause 6 - Lo. As • Describes 4 Levels of Assurance (Lo. As) Level

Clause 7 - Actors • • • Entity Credential Service Provider (CSP) Registration Authority

Clause 8 - EEAF Normative Enrolment phase Credential management phase Entity authentication phase Management

Clause 9 – Management and Organizational Considerations • • Service Establishment Legal and Contractual

Clause 10 – Threats and Controls • Organized by phase and process of the

Clause 11 – Service Assurance Criteria • Trust framework operators that seek to comply

Questions? • Contact Information – ITU-T Editor: Dick Brackney • dibrack@microsoft. com – ISO

Slides: 13

Download presentation

ITU-T X. 1254 | ISO/IEC 29115 An Overview of the Entity Authentication Assurance Framework

Current Status • Goal is 2012 publication of X. 1254|ISO/IEC 29115 by both SDO’s • Currently – Undergoing balloting at ISO for Draft International Standard (DIS) – Expected to be “Determined” at ITU-T in February • ITU-T Editor: Dick Brackney, Microsoft • ISO Editor: Erika Mc. Callister, NIST

Background • Challenge: Protect system security and individual privacy during e-authenication over open networks. • Approach: Provide an appropriate level of assurance for those transactions that require eauthentication. • Based on NIST SP 800 -63, e-Authentication Guidelines, June 2006 • Implementation: Five Step Process

Five Step Process • Conduct Risk Assessment • Map identified risks to appropriate assurance level • Select appropriate controls • Validate that the implemented controls has met the required assurance level. • Periodically re-assess to determine technology refresh requirements

Contents 1. Scope 2. 3. 4. 5. Normative References Definitions Abbreviations Conventions 6. Levels of Assurance 7. Actors 8. Entity Authentication Assurance Framework Phases 9. Management and Organizational Considerations 10. Threats and Controls 11. Service Assurance Criteria

Clause 1 - Scope • This Recommendation | International Standard provides a framework for managing entity authentication assurance in a given context. In particular, it: – specifies four levels of entity authentication assurance; – specifies criteria and guidelines for achieving each of the four levels of entity authentication assurance; – provides guidance for mapping other authentication assurance schemes to the four Lo. As; – provides guidance for exchanging the results of authentication that are based on the four Lo. As; and – provides guidance concerning controls that should be used to mitigate authentication threats.

Clause 6 - Lo. As • Describes 4 Levels of Assurance (Lo. As) Level Description 1 – Low Little or no confidence in the asserted identity 2 – Medium Some confidence in the asserted identity 3 – High confidence in the asserted identity 4 – Very high confidence in the asserted identity

Clause 7 - Actors • • • Entity Credential Service Provider (CSP) Registration Authority (RA) Relying Party (RP) Verifier Trusted Third Party (TTP)

Clause 8 - EEAF Normative Enrolment phase Credential management phase Entity authentication phase Management & Informative Organizational Technical • Service Record-keeping establishment • Legal and contractual compliance • Financial provisions • Credential creation • Credential storage • Information security • Credential pre • Credential management and processing suspension, audit • Credential initialization revocation, and/or • External service • Credential binding destruction components • Credential issuance • Credential renewal • Operational • Credential activation and/or replacement infrastructure • Record-keeping • Measuring Clause 10 Threats operational • Authentication capabilities and Controls are • Record-keeping • Application and initiation • Identity proofing • Identity verification • recording • Registration organized around these processes

Clause 9 – Management and Organizational Considerations • • Service Establishment Legal and Contractual Compliance Financial Provisions Information Security Management and Audit • External Service Components • Operational Infrastructure • Measuring Operational Capabilities

Clause 10 – Threats and Controls • Organized by phase and process of the EAAF • For humans and non-person entities (NPEs)

Clause 11 – Service Assurance Criteria • Trust framework operators that seek to comply with this Framework shall establish specific criteria fulfilling the requirements of each Lo. A that they intend to support and shall assess the CSPs that claim compliance with the Framework against those criteria. Likewise, CSPs shall determine the Lo. A at which their services comply with this Framework by evaluating their overall business processes and technical mechanisms against specific criteria.

Questions? • Contact Information – ITU-T Editor: Dick Brackney • dibrack@microsoft. com – ISO Editor: Erika Mc. Callister • erika. mccallister@nist. gov