Posted by Scott Shorter, Vice President, Security
We are excited to review the updated public draft of NIST 800-63, now titled the Digital Authentication Guideline (DAG). This document was previously called the Electronic Authentication Guideline; Revision 2 of that document (NIST 800-63-2) is the current guideline from the NIST to the Federal Government. The intent of the document is to define requirements for establishing trust in online transactions between the government and other entities. The prior revisions to the document have consisted of minor updates, whereas this approach represents a reorganization and major overhaul of the document.
The guidelines apply to how to correctly implement what security industry professionals refer to as the security function Authentication and Identification. Authentication and Identification is the overall set of mechanisms that establish the identity of users and the processes acting on their behalf. Since the days of the TCSEC and the Orange Book (1983), Authentication and Identification has been a fundamental mechanism that must be present to establish trust in systems. Security models require individual accountability as the basis for good behavior; conjointly, proper accountability requires an established baseline of trust in the processes that underlies the transactions.
We are glad to see that significant changes in this revision include a restructuring that reflects attention to the IETF Vectors of Trust internet draft. This document provides a conceptual approach to quantifying varying metrics with respect to identity assurance without being tied to the rigid sets of requirements stipulated in the Levels of Assurance (LOAs) used based on OMB Memorandum-04-04. The DAG authors mapped the new requirements to the old LOAs for purposes of backwards compatibility. We anticipate that the policy foundation in the OMB memo will also require revision in order to accommodate such flexibility.
We are certainly well aware, through our work on the Kantara Identity Initiative Working Group amongst others, of previous efforts to break up the LOAs. We applaud this latest and significant development. However, we believe that the draft does not take the additional critical step of using the increased paradigm flexibility to express alternatives to the policy structure implicit in earlier versions. This is not meant as a negative criticism of the existing work, but as a starting point for sculpting it into an even better final product. For example, the work of the National Strategy for Trusted Identities in Cyberspace (NSTIC) is mentioned briefly in the introduction but does not appear to have been incorporated to any great degree. We believe the guidelines would be improved by including privacy-enhancing features among the requirements, in accordance with the first NSTIC principal of privacy-enhancing voluntary identity systems.
In point, the document continues to define a pseudonym as “a false name”, and forbids the use at higher levels of assurance. This necessity to provide a full name whenever doing business with the government is at odds with the Fair Information Privacy Practices (FIPPS) which call for data minimization when possible, and results in personally identifiable information being stored widely throughout Federal government databases. Consider the scenario in which an individual obtains credentials that identify them with a reversible pseudonym so that they can conduct their affairs with some privacy while still having accountability in the event that they misuse their privileges. The PII is more concentrated, the service provider establishes procedures whereby authorized individuals can obtain full names from pseudonyms, and individuals can operate in a privacy-enhanced manner. But such an approach cannot even be discussed in the terminology of the guideline with the current definitions.
Another example is the question of what identity proofing data should be stored is an example of the frequently encountered tension between privacy and security. Prior iterations of the document were clearly on the security side of the question, with maximum data retention being the standard. Privacy regulations of course call for informing the subscriber that their PII has been captures for identity proofing and will be stored for 10.5 years, but this low bar of “disclose your terrible privacy practices” has been considered insufficient for years. The note in Section 6.1.2 implies that the authors are open to alternate approaches, but this issue will require close attention to get right and satisfy all stakeholders.
Stakeholders and industry thought-leaders gathered at NIST on January 2016, to participate in a workshop on “Applying Measurement Science in the Identity Ecosystem.” The release of three white papers on the topic preceded the event, which all articulated the commendable goal of improving the reliability of the measurements of identity confidence that are currently in use. There was much valuable discussion in the panels and in the breakout sessions. We are hopeful that the results of the workshop will be documented in some form, so that identity industry professionals can benefit from the valuable discussion and recommendations that came from that workshop.
With these initial remarks out of the way, let us again praise NIST for the hard work in overhauling both the document and the process of gathering comments. We are looking forward to working with NIST and the community to improve this important foundational document.
In that vein, we are preparing an index of recommendations based upon our learnings from the workshop and the changes in the DAG and the upcoming third revision. In doing so, we can help support your organization in adjusting to the updated requirements. Additionally, we will continue to provide insight into related areas such as privacy and pseudonymity in upcoming blogs – stay tuned!