generated from coulomb/repo-seed
Backfill all 23 research source notes with terminology extracts, modeling assumptions, conflicts, canonical mappings, and references. Refresh terminology artifacts, refine the conceptual model with explicit scenario paths, reconcile canon surfaces and open questions, and mark the workplan finished.
129 lines
5.4 KiB
Markdown
129 lines
5.4 KiB
Markdown
# NIST SP 800-63-4
|
||
|
||
## Source Type
|
||
|
||
Government guideline. NIST Special Publication 800-63-4, Digital Identity
|
||
Guidelines (2025).
|
||
|
||
## Domain
|
||
|
||
Identity assurance, authentication assurance, federation assurance, and
|
||
identity lifecycle.
|
||
|
||
## Why This Source Matters
|
||
|
||
NIST identity guidance separates identity proofing, authentication assurance,
|
||
federation assurance, and lifecycle management.
|
||
|
||
NIST 800-63 provides the most explicit assurance-level vocabulary for
|
||
separating how strongly an identity is bound to a person, how strongly
|
||
authentication occurred, and how federation preserves or degrades assurance.
|
||
|
||
## Key Concepts
|
||
|
||
- **IAL (Identity Assurance Level)**: confidence that a subscriber is who they
|
||
claim to be (IAL1–IAL3).
|
||
- **AAL (Authenticator Assurance Level)**: confidence in authentication
|
||
mechanism strength (AAL1–AAL3).
|
||
- **FAL (Federation Assurance Level)**: confidence in federation protocol and
|
||
assertion protection (FAL1–FAL3).
|
||
- **Subscriber**: party enrolled with a CSP (credential service provider).
|
||
- **Credential Service Provider (CSP)**: issues credentials and performs
|
||
identity proofing.
|
||
- **Relying Party (RP)**: depends on CSP assertions.
|
||
- **Identity Provider (IdP) / Asserting Party (AP)**: federates authentication
|
||
to RPs.
|
||
- **Verifier**: entity confirming claimant possession of authenticator.
|
||
- **Binding**: association between subscriber, identity, and authenticator.
|
||
- **Identity proofing**: collection and validation of evidence about a person.
|
||
- **Authenticator**: something the subscriber possesses/controls for auth.
|
||
- **Federation assertion**: signed statement from IdP to RP about
|
||
authentication and attributes.
|
||
|
||
## Relevant Terminology
|
||
|
||
| Term | Source meaning |
|
||
| --- | --- |
|
||
| Subscriber | Enrolled party at CSP; not necessarily named "user." |
|
||
| CSP | Provider performing proofing and credential issuance. |
|
||
| RP | Consumer of identity/authentication assertions. |
|
||
| IAL | Identity proofing strength level. |
|
||
| AAL | Authentication event strength level. |
|
||
| FAL | Federation protocol/assertion protection level. |
|
||
| Claimant | Party attempting authentication. |
|
||
| Verifier | Confirms authenticator use. |
|
||
| Binding | Link between subscriber identity and authenticator. |
|
||
| Supervised remote proofing | IAL2+ proofing with human or tech supervision. |
|
||
|
||
## Modeling Assumptions
|
||
|
||
- **Identity assurance, authentication, and federation are separable**
|
||
dimensions with independent levels.
|
||
- **Subscriber is the enrolled entity**, not the legal person directly; binding
|
||
connects them.
|
||
- **Proofing evidence matters** and should be retained per policy.
|
||
- **Federation may preserve or reduce assurance** depending on FAL and
|
||
assertion contents.
|
||
- **Lifecycle includes enrollment, binding, maintenance, and termination.**
|
||
- **Pseudonymous enrollment is allowed** at IAL1 without real-name binding.
|
||
- **Agency/customer relationship** is outside the technical model but affects
|
||
policy.
|
||
|
||
## Identity-Canon Implications
|
||
|
||
- NIST **Subscriber** maps to **Account** or enrolled **Identity Record**
|
||
bound to **Natural Person** at higher IAL.
|
||
- **IAL** maps to **Assurance Level** on Identity Record / Person binding.
|
||
- **AAL** maps to **Assurance Level** on authentication event / Credential use.
|
||
- **FAL** maps to **Assurance Level** on **Trust Relationship** or federation
|
||
assertion.
|
||
- **Binding** maps to **Synonymity Assertion** or **Identifier Binding**
|
||
between subscriber, person, and authenticator.
|
||
- **Identity proofing evidence** maps to **Evidence Source**.
|
||
- Reinforces **P7** (synonymity as assertion) and **P8** (preserve evidence).
|
||
- Supports S12 (weak match insufficient for IAL2+), S13 (strong link with
|
||
verification), S06 (family/guardian proofing).
|
||
|
||
## Terminology Conflicts
|
||
|
||
- **Subscriber vs. User**: NIST subscriber is enrolled party; apps say user.
|
||
- **Identity vs. Subscriber**: NIST separates identity proofing from
|
||
subscriber record.
|
||
- **Credential vs. Authenticator**: NIST distinguishes credential (issued)
|
||
from authenticator (possessed); products conflate.
|
||
- **IAL vs. Account trust**: assurance on person binding ≠ account permissions.
|
||
- **Federation vs. Synonymity**: federation assertion ≠ same-person claim
|
||
across systems.
|
||
|
||
## Candidate Canonical Mappings
|
||
|
||
| NIST concept | Candidate canonical concept |
|
||
| --- | --- |
|
||
| Subscriber | Account / enrolled Identity Record |
|
||
| CSP / IdP | Issuer Scope + Trust Relationship |
|
||
| RP | Relying party Scope |
|
||
| IAL | Assurance Level (identity proofing) |
|
||
| AAL | Assurance Level (authentication) |
|
||
| FAL | Assurance Level (federation) |
|
||
| Authenticator | Credential |
|
||
| Binding | Identifier Binding / Synonymity Assertion |
|
||
| Proofing evidence | Evidence Source |
|
||
| Federation assertion | Claim + Credential (signed) |
|
||
| Claimant | Actor attempting authentication (projection) |
|
||
|
||
## Open Questions
|
||
|
||
- Should IAL/AAL/FAL be a unified Assurance Level vocabulary or three
|
||
orthogonal dimensions in canon?
|
||
- How should pseudonymous IAL1 subscribers map when no Natural Person binding
|
||
exists?
|
||
- Does guardian-assisted proofing for minors warrant a distinct Relationship
|
||
type with assurance caps?
|
||
- Should CSP subscriber ID be a Scoped Identifier under CSP Scope?
|
||
|
||
## References
|
||
|
||
- NIST SP 800-63-4 — https://pages.nist.gov/800-63-4/
|
||
- NIST SP 800-63A (Enrollment and Identity Proofing) — https://pages.nist.gov/800-63-4/sp800-63A.html
|
||
- NIST SP 800-63B (Authentication and Lifecycle) — https://pages.nist.gov/800-63-4/sp800-63B.html
|
||
- NIST SP 800-63C (Federation and Assertions) — https://pages.nist.gov/800-63-4/sp800-63C.html |