This repository has been archived on 2026-07-08. You can view files and clone it. You cannot open issues or pull requests or push a commit.
Files
identity-canon/research/authentication-federation/nist-800-63-4.md
tegwick 1c1b5c9bc6 Complete IDENTITY-WP-0003 corpus backfill and model refinement
Backfill all 23 research source notes with terminology extracts, modeling
assumptions, conflicts, canonical mappings, and references. Refresh terminology
artifacts, refine the conceptual model with explicit scenario paths, reconcile
canon surfaces and open questions, and mark the workplan finished.
2026-06-21 20:22:20 +02:00

129 lines
5.4 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# NIST SP 800-63-4
## Source Type
Government guideline. NIST Special Publication 800-63-4, Digital Identity
Guidelines (2025).
## Domain
Identity assurance, authentication assurance, federation assurance, and
identity lifecycle.
## Why This Source Matters
NIST identity guidance separates identity proofing, authentication assurance,
federation assurance, and lifecycle management.
NIST 800-63 provides the most explicit assurance-level vocabulary for
separating how strongly an identity is bound to a person, how strongly
authentication occurred, and how federation preserves or degrades assurance.
## Key Concepts
- **IAL (Identity Assurance Level)**: confidence that a subscriber is who they
claim to be (IAL1IAL3).
- **AAL (Authenticator Assurance Level)**: confidence in authentication
mechanism strength (AAL1AAL3).
- **FAL (Federation Assurance Level)**: confidence in federation protocol and
assertion protection (FAL1FAL3).
- **Subscriber**: party enrolled with a CSP (credential service provider).
- **Credential Service Provider (CSP)**: issues credentials and performs
identity proofing.
- **Relying Party (RP)**: depends on CSP assertions.
- **Identity Provider (IdP) / Asserting Party (AP)**: federates authentication
to RPs.
- **Verifier**: entity confirming claimant possession of authenticator.
- **Binding**: association between subscriber, identity, and authenticator.
- **Identity proofing**: collection and validation of evidence about a person.
- **Authenticator**: something the subscriber possesses/controls for auth.
- **Federation assertion**: signed statement from IdP to RP about
authentication and attributes.
## Relevant Terminology
| Term | Source meaning |
| --- | --- |
| Subscriber | Enrolled party at CSP; not necessarily named "user." |
| CSP | Provider performing proofing and credential issuance. |
| RP | Consumer of identity/authentication assertions. |
| IAL | Identity proofing strength level. |
| AAL | Authentication event strength level. |
| FAL | Federation protocol/assertion protection level. |
| Claimant | Party attempting authentication. |
| Verifier | Confirms authenticator use. |
| Binding | Link between subscriber identity and authenticator. |
| Supervised remote proofing | IAL2+ proofing with human or tech supervision. |
## Modeling Assumptions
- **Identity assurance, authentication, and federation are separable**
dimensions with independent levels.
- **Subscriber is the enrolled entity**, not the legal person directly; binding
connects them.
- **Proofing evidence matters** and should be retained per policy.
- **Federation may preserve or reduce assurance** depending on FAL and
assertion contents.
- **Lifecycle includes enrollment, binding, maintenance, and termination.**
- **Pseudonymous enrollment is allowed** at IAL1 without real-name binding.
- **Agency/customer relationship** is outside the technical model but affects
policy.
## Identity-Canon Implications
- NIST **Subscriber** maps to **Account** or enrolled **Identity Record**
bound to **Natural Person** at higher IAL.
- **IAL** maps to **Assurance Level** on Identity Record / Person binding.
- **AAL** maps to **Assurance Level** on authentication event / Credential use.
- **FAL** maps to **Assurance Level** on **Trust Relationship** or federation
assertion.
- **Binding** maps to **Synonymity Assertion** or **Identifier Binding**
between subscriber, person, and authenticator.
- **Identity proofing evidence** maps to **Evidence Source**.
- Reinforces **P7** (synonymity as assertion) and **P8** (preserve evidence).
- Supports S12 (weak match insufficient for IAL2+), S13 (strong link with
verification), S06 (family/guardian proofing).
## Terminology Conflicts
- **Subscriber vs. User**: NIST subscriber is enrolled party; apps say user.
- **Identity vs. Subscriber**: NIST separates identity proofing from
subscriber record.
- **Credential vs. Authenticator**: NIST distinguishes credential (issued)
from authenticator (possessed); products conflate.
- **IAL vs. Account trust**: assurance on person binding ≠ account permissions.
- **Federation vs. Synonymity**: federation assertion ≠ same-person claim
across systems.
## Candidate Canonical Mappings
| NIST concept | Candidate canonical concept |
| --- | --- |
| Subscriber | Account / enrolled Identity Record |
| CSP / IdP | Issuer Scope + Trust Relationship |
| RP | Relying party Scope |
| IAL | Assurance Level (identity proofing) |
| AAL | Assurance Level (authentication) |
| FAL | Assurance Level (federation) |
| Authenticator | Credential |
| Binding | Identifier Binding / Synonymity Assertion |
| Proofing evidence | Evidence Source |
| Federation assertion | Claim + Credential (signed) |
| Claimant | Actor attempting authentication (projection) |
## Open Questions
- Should IAL/AAL/FAL be a unified Assurance Level vocabulary or three
orthogonal dimensions in canon?
- How should pseudonymous IAL1 subscribers map when no Natural Person binding
exists?
- Does guardian-assisted proofing for minors warrant a distinct Relationship
type with assurance caps?
- Should CSP subscriber ID be a Scoped Identifier under CSP Scope?
## References
- NIST SP 800-63-4 — https://pages.nist.gov/800-63-4/
- NIST SP 800-63A (Enrollment and Identity Proofing) — https://pages.nist.gov/800-63-4/sp800-63A.html
- NIST SP 800-63B (Authentication and Lifecycle) — https://pages.nist.gov/800-63-4/sp800-63B.html
- NIST SP 800-63C (Federation and Assertions) — https://pages.nist.gov/800-63-4/sp800-63C.html