generated from coulomb/repo-seed
Backfill all 23 research source notes with terminology extracts, modeling assumptions, conflicts, canonical mappings, and references. Refresh terminology artifacts, refine the conceptual model with explicit scenario paths, reconcile canon surfaces and open questions, and mark the workplan finished.
5.4 KiB
5.4 KiB
NIST SP 800-63-4
Source Type
Government guideline. NIST Special Publication 800-63-4, Digital Identity Guidelines (2025).
Domain
Identity assurance, authentication assurance, federation assurance, and identity lifecycle.
Why This Source Matters
NIST identity guidance separates identity proofing, authentication assurance, federation assurance, and lifecycle management.
NIST 800-63 provides the most explicit assurance-level vocabulary for separating how strongly an identity is bound to a person, how strongly authentication occurred, and how federation preserves or degrades assurance.
Key Concepts
- IAL (Identity Assurance Level): confidence that a subscriber is who they claim to be (IAL1–IAL3).
- AAL (Authenticator Assurance Level): confidence in authentication mechanism strength (AAL1–AAL3).
- FAL (Federation Assurance Level): confidence in federation protocol and assertion protection (FAL1–FAL3).
- Subscriber: party enrolled with a CSP (credential service provider).
- Credential Service Provider (CSP): issues credentials and performs identity proofing.
- Relying Party (RP): depends on CSP assertions.
- Identity Provider (IdP) / Asserting Party (AP): federates authentication to RPs.
- Verifier: entity confirming claimant possession of authenticator.
- Binding: association between subscriber, identity, and authenticator.
- Identity proofing: collection and validation of evidence about a person.
- Authenticator: something the subscriber possesses/controls for auth.
- Federation assertion: signed statement from IdP to RP about authentication and attributes.
Relevant Terminology
| Term | Source meaning |
|---|---|
| Subscriber | Enrolled party at CSP; not necessarily named "user." |
| CSP | Provider performing proofing and credential issuance. |
| RP | Consumer of identity/authentication assertions. |
| IAL | Identity proofing strength level. |
| AAL | Authentication event strength level. |
| FAL | Federation protocol/assertion protection level. |
| Claimant | Party attempting authentication. |
| Verifier | Confirms authenticator use. |
| Binding | Link between subscriber identity and authenticator. |
| Supervised remote proofing | IAL2+ proofing with human or tech supervision. |
Modeling Assumptions
- Identity assurance, authentication, and federation are separable dimensions with independent levels.
- Subscriber is the enrolled entity, not the legal person directly; binding connects them.
- Proofing evidence matters and should be retained per policy.
- Federation may preserve or reduce assurance depending on FAL and assertion contents.
- Lifecycle includes enrollment, binding, maintenance, and termination.
- Pseudonymous enrollment is allowed at IAL1 without real-name binding.
- Agency/customer relationship is outside the technical model but affects policy.
Identity-Canon Implications
- NIST Subscriber maps to Account or enrolled Identity Record bound to Natural Person at higher IAL.
- IAL maps to Assurance Level on Identity Record / Person binding.
- AAL maps to Assurance Level on authentication event / Credential use.
- FAL maps to Assurance Level on Trust Relationship or federation assertion.
- Binding maps to Synonymity Assertion or Identifier Binding between subscriber, person, and authenticator.
- Identity proofing evidence maps to Evidence Source.
- Reinforces P7 (synonymity as assertion) and P8 (preserve evidence).
- Supports S12 (weak match insufficient for IAL2+), S13 (strong link with verification), S06 (family/guardian proofing).
Terminology Conflicts
- Subscriber vs. User: NIST subscriber is enrolled party; apps say user.
- Identity vs. Subscriber: NIST separates identity proofing from subscriber record.
- Credential vs. Authenticator: NIST distinguishes credential (issued) from authenticator (possessed); products conflate.
- IAL vs. Account trust: assurance on person binding ≠ account permissions.
- Federation vs. Synonymity: federation assertion ≠ same-person claim across systems.
Candidate Canonical Mappings
| NIST concept | Candidate canonical concept |
|---|---|
| Subscriber | Account / enrolled Identity Record |
| CSP / IdP | Issuer Scope + Trust Relationship |
| RP | Relying party Scope |
| IAL | Assurance Level (identity proofing) |
| AAL | Assurance Level (authentication) |
| FAL | Assurance Level (federation) |
| Authenticator | Credential |
| Binding | Identifier Binding / Synonymity Assertion |
| Proofing evidence | Evidence Source |
| Federation assertion | Claim + Credential (signed) |
| Claimant | Actor attempting authentication (projection) |
Open Questions
- Should IAL/AAL/FAL be a unified Assurance Level vocabulary or three orthogonal dimensions in canon?
- How should pseudonymous IAL1 subscribers map when no Natural Person binding exists?
- Does guardian-assisted proofing for minors warrant a distinct Relationship type with assurance caps?
- Should CSP subscriber ID be a Scoped Identifier under CSP Scope?
References
- NIST SP 800-63-4 — https://pages.nist.gov/800-63-4/
- NIST SP 800-63A (Enrollment and Identity Proofing) — https://pages.nist.gov/800-63-4/sp800-63A.html
- NIST SP 800-63B (Authentication and Lifecycle) — https://pages.nist.gov/800-63-4/sp800-63B.html
- NIST SP 800-63C (Federation and Assertions) — https://pages.nist.gov/800-63-4/sp800-63C.html