This repository has been archived on 2026-07-08. You can view files and clone it. You cannot open issues or pull requests or push a commit.
Files
identity-canon/research/authentication-federation/nist-800-63-4.md
tegwick 1c1b5c9bc6 Complete IDENTITY-WP-0003 corpus backfill and model refinement
Backfill all 23 research source notes with terminology extracts, modeling
assumptions, conflicts, canonical mappings, and references. Refresh terminology
artifacts, refine the conceptual model with explicit scenario paths, reconcile
canon surfaces and open questions, and mark the workplan finished.
2026-06-21 20:22:20 +02:00

5.4 KiB
Raw Blame History

NIST SP 800-63-4

Source Type

Government guideline. NIST Special Publication 800-63-4, Digital Identity Guidelines (2025).

Domain

Identity assurance, authentication assurance, federation assurance, and identity lifecycle.

Why This Source Matters

NIST identity guidance separates identity proofing, authentication assurance, federation assurance, and lifecycle management.

NIST 800-63 provides the most explicit assurance-level vocabulary for separating how strongly an identity is bound to a person, how strongly authentication occurred, and how federation preserves or degrades assurance.

Key Concepts

  • IAL (Identity Assurance Level): confidence that a subscriber is who they claim to be (IAL1IAL3).
  • AAL (Authenticator Assurance Level): confidence in authentication mechanism strength (AAL1AAL3).
  • FAL (Federation Assurance Level): confidence in federation protocol and assertion protection (FAL1FAL3).
  • Subscriber: party enrolled with a CSP (credential service provider).
  • Credential Service Provider (CSP): issues credentials and performs identity proofing.
  • Relying Party (RP): depends on CSP assertions.
  • Identity Provider (IdP) / Asserting Party (AP): federates authentication to RPs.
  • Verifier: entity confirming claimant possession of authenticator.
  • Binding: association between subscriber, identity, and authenticator.
  • Identity proofing: collection and validation of evidence about a person.
  • Authenticator: something the subscriber possesses/controls for auth.
  • Federation assertion: signed statement from IdP to RP about authentication and attributes.

Relevant Terminology

Term Source meaning
Subscriber Enrolled party at CSP; not necessarily named "user."
CSP Provider performing proofing and credential issuance.
RP Consumer of identity/authentication assertions.
IAL Identity proofing strength level.
AAL Authentication event strength level.
FAL Federation protocol/assertion protection level.
Claimant Party attempting authentication.
Verifier Confirms authenticator use.
Binding Link between subscriber identity and authenticator.
Supervised remote proofing IAL2+ proofing with human or tech supervision.

Modeling Assumptions

  • Identity assurance, authentication, and federation are separable dimensions with independent levels.
  • Subscriber is the enrolled entity, not the legal person directly; binding connects them.
  • Proofing evidence matters and should be retained per policy.
  • Federation may preserve or reduce assurance depending on FAL and assertion contents.
  • Lifecycle includes enrollment, binding, maintenance, and termination.
  • Pseudonymous enrollment is allowed at IAL1 without real-name binding.
  • Agency/customer relationship is outside the technical model but affects policy.

Identity-Canon Implications

  • NIST Subscriber maps to Account or enrolled Identity Record bound to Natural Person at higher IAL.
  • IAL maps to Assurance Level on Identity Record / Person binding.
  • AAL maps to Assurance Level on authentication event / Credential use.
  • FAL maps to Assurance Level on Trust Relationship or federation assertion.
  • Binding maps to Synonymity Assertion or Identifier Binding between subscriber, person, and authenticator.
  • Identity proofing evidence maps to Evidence Source.
  • Reinforces P7 (synonymity as assertion) and P8 (preserve evidence).
  • Supports S12 (weak match insufficient for IAL2+), S13 (strong link with verification), S06 (family/guardian proofing).

Terminology Conflicts

  • Subscriber vs. User: NIST subscriber is enrolled party; apps say user.
  • Identity vs. Subscriber: NIST separates identity proofing from subscriber record.
  • Credential vs. Authenticator: NIST distinguishes credential (issued) from authenticator (possessed); products conflate.
  • IAL vs. Account trust: assurance on person binding ≠ account permissions.
  • Federation vs. Synonymity: federation assertion ≠ same-person claim across systems.

Candidate Canonical Mappings

NIST concept Candidate canonical concept
Subscriber Account / enrolled Identity Record
CSP / IdP Issuer Scope + Trust Relationship
RP Relying party Scope
IAL Assurance Level (identity proofing)
AAL Assurance Level (authentication)
FAL Assurance Level (federation)
Authenticator Credential
Binding Identifier Binding / Synonymity Assertion
Proofing evidence Evidence Source
Federation assertion Claim + Credential (signed)
Claimant Actor attempting authentication (projection)

Open Questions

  • Should IAL/AAL/FAL be a unified Assurance Level vocabulary or three orthogonal dimensions in canon?
  • How should pseudonymous IAL1 subscribers map when no Natural Person binding exists?
  • Does guardian-assisted proofing for minors warrant a distinct Relationship type with assurance caps?
  • Should CSP subscriber ID be a Scoped Identifier under CSP Scope?

References