Global Authentication: Liberty Alliance Identity Assurance Framework Roger Brett McDowell, Executive Director, Liberty Alliance brett@projectliberty.org phone: +1.413.652.1248

Agenda Introduction State of the Market Levels of Assurance Assessment Criteria Process Conclusions Roger

Why was Liberty Alliance Formed? Identity is important & complex. We must deliver clarity OR: industry will become more fractured governments will intervene Foster the ubiquitous, open, interoperable, privacy-respecting, identity layer (holistic identity management): Liberty represents all constituencies toward this objective (vendors, enterprise, government, universities, SME’s, etc.)‏ Develop standards-based model to … Interoperate in heterogeneous environments Avoid proprietary vendor lock-in Provide flexible foundation for future growth Scale to the WWW Deliver consumer & enterprise confidence that security, privacy and data integrity will be maintained Roger

Liberty’s Global Membership 150 diverse member companies and organizations representing leaders in IT, mobility, government, service provision, system integration and finance working collaboratively to address the technology, business and policy aspects of digital identity management Management Board Sponsors Roger

Assurance Liberty Focus 04/17/08 Technology Standards and Guidelines Business and Privacy Guidelines Assurance Roger An Ecosystem of Interoperable Products & Services An Ecosystem of Interoperable Products & Services Identity Assurance Framework & Assessors 04/17/08

Some Liberty Achievements The de-facto standard for Identity Federation (SAML 2.0)‏ Standard framework for secure Web Services (ID-WSF 2.0)‏ Publish case studies of successful deployments (17 verticals)‏ EAP merger & Identity Assurance Framework public draft GSA joins those requiring Liberty Interoperable™ testing Concordia Project standards harmonisation demo at RSA openLiberty.org Web Services Client (Java) beta release Completed requirements for Strong Authentication (ID-SAFe)‏ Initiated Identity Governance Framework (IGF) specification Finalized Advanced Client specification for device provisioning Roger 04/17/08

Agenda Introduction State of the Market Levels of Assurance Assessment Criteria Process Conclusions Roger to Soren Peter

Issues Remain to be Solved World of identity is too complex for its own good….. Individuals and commercial entities need simplicity in achieving what they want to do securely, privately, and confidently In order to grow outside the enterprise—federate the federations—identity marketplace needs an open, scalable, trustworthy commercially viable solution Soren Peter for Global context Myisha for US view

The General Ecology Identity Reliance Identity Assertion Commercial Networks Financial Government Institutions Industry Employers Family/ Friends People, Entities, Machines More? Identity Reliance Identity Assertion Jane

Getting more complex all the time … The General Ecology Commercial Comm. Networks Financial Government Institutions Industry Employers Family/ Friends People, Entities, Machines More? Jane Getting more complex all the time …

There needs to be a Consistent & Clear Customer Experience Jane to Alex

Focus on Identity Assurance Alex 04/17/08

Identity Assurance Expert Group (IAEG)‏ 2007 formed Identity Assurance Expert Group (IAEG) designed to foster adoption of identity assurance services Initial contributions from EAP and U.S. E-Authentication Federation Objective is to create a framework of baseline policies, business rules and commercial terms against which identity assurance services can be assessed and certified Initial goal is to facilitate broad, uniform, interoperable, trusted identity federation practices across identity service providers – aka credential service providers (CSP’s) Desired result is operational streamlining of identity service provider certification and accreditation processes for entire industry Alex 04/17/08

Agenda Introduction State of the Market Levels of Assurance Assessment Criteria Process Conclusions Roger to Jane

IAF Assurance Levels Policy Overview Level of trust associated with a credential measured by the strength and rigor of the identity-proofing process; the inherent strength of the credential and the policy and practice statements employed by the CSP‏. Four Primary Levels of Assurance Level 1 – little or no confidence in asserted identity’s validity Level 2 – Some confidence Level 3 – High level of confidence Level 4 – Very high level of confidence Use of Assurance Level is determined by level of authentication necessary to mitigate risk in the transaction, as determined by the Relying Party (RP) CSPs are certified by Federation Operators (FO’s) to a specific Level(s)‏ Jane to Alex

IAF Assurance Levels in Detail Assurance level criteria as posited by the OMB M-04-04 and NIST Special Publication 800-63: Level 1 – (e.g. registration to a news website)‏ Satisfied by a wide range of technologies, including PINs Does not require use of cryptographic methods Level 2 – (e.g. change of address by beneficiary)‏ Single-factor remote network authentication Claimant must prove control of token through secure authentication protocol Level 3 – (e.g. online access to a brokerage account)‏ Multi-factor remote network authentication Authentication by keys through cryptographic protocol Tokens can be “soft”, “hard” or “one-time password” Level 4 – (e.g. distribution of controlled drugs)‏ Multi-factor remote authentication through “hard” tokens Transactions are cryptographically authenticated using keys bound to the authentication process

Assurance in Action Jane

Agenda Introduction State of the Market Levels of Assurance Assessment Criteria Process Conclusions Soren Peter / Myisha

IAF Service Assessment Criteria (SAC)‏ Common Organization SAC - The general business and organizational conformity of services and their providers Enterprise maturity; Information Security Mgmt; Operational Infrastructure, etc. Identity Proofing SAC - The functional conformity of identity proofing services Identity verification; Verification records Credential Management SAC - The functional conformity of credential management services and their providers Operating environment; Issuance; Revocation; Status Mgmt; Validation/Authentication Soren Peter / Myisha

Assurance level criteria as posited by the OMB M-04-04 and NIST Special Publication 800-63: Multi-factor auth; Cryptographic protocol; “soft”, “hard”, or “OTP” tokens Stringent criteria – stronger attestation and verification of records Stringent organizational criteria Access to an online brokerage account AL 3 Multi-factor auth w/hard tokens only; crypto protocol w/keys bound to auth process More stringent criteria – stronger attestation and verification Dispensation of a controlled drug or $1mm bank wire AL 4 Single factor; Prove control of token through authentication protocol Moderate criteria - Attestation of Govt. ID Moderate organizational criteria Change of address of record by beneficiary AL 2 PIN and Password Minimal criteria - Self assertion Minimal Organizational criteria Registration to a news website AL 1 Assessment Criteria – Credential Mgmt Assessment Criteria – Identity Proofing Assessment Criteria -- Organization Example Assurance Level Alex, back to Jane

Agenda Introduction State of the Market Levels of Assurance Assessment Criteria Process Conclusions

IAF Business Rules Focused on the use of credentials for authentication, initially targeting CSP’s Liberty Alliance Project (LAP) provides accreditation of assessors who will perform certification assessment Federation Operators will require LAP-accredited assessments IAF provides guidelines for how all involved parties (relying parties, CSP’s and Federation Operators) may work together LAP will maintain the Identity Assurance Framework and provide a current list of accredited assessors Myisha

IAF Certification Model Program for assessors to become accredited Provide candidate CSP’s with guidelines for certifying against IAF Enables Federation Operators to certify members against common industry framework and assessment practices Liberty Alliance to define and provide governance over accreditation process Phase one certification process is for CSP’s as defined in IAF Myisha

Agenda Introduction State of the Market Levels of Assurance Assessment Criteria Process Conclusions Roger to lead conclusion discussion

Roadmap Phase One of Certification Program for CSP’s/IDP’s, ratified in Identity Assurance Framework v1.0 FINAL (Q2 2008)‏ Launch Accreditation Program to enable the Certification model and spur the market (Mid-2008)‏ Introduce IAF Suite – documentation to support IAF Scope and define Phase 2 IAF Version 2.0 to focus on Federation Operators (begins Q3 2008)‏ Best Practices / Usage Guidelines document for Relying Parties 04/17/08

References (Contributions to IAF standard) EAP Trust Framework: http://eap.projectliberty.org/docs/Trust_Framework_010605_final.pdf OMB e-Authentication Guidance (OMB M-04-04): http://www.whitehouse.gov/omb/memoranda/fy04/m04-04.pdf NIST Special Publication 800-63 Version 1.0.1: http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf Authentication Service Component Interface Specifications: http://www.cio.gov/eauthentication/documents/TechApproach.pdf GSA Credential Assessment Framework, Password CAP, Certificate CAP and Entropy Spreadsheet: http://www.cio.gov/eauthentication/documents/PasswordCAP.pdf Tscheme http://www.tscheme.org/profiles/index.html TSCP http://tscp.org/about.htm

Getting Involved Liberty Alliance Identity Assurance Expert Group (Liberty Alliance membership is required)‏ http://www.projectliberty.org/liberty/membership/become_a_member Identity Assurance Special Interest Group (Liberty Alliance membership is not required)‏ http://wiki.projectliberty.org/index.php/IASIG Identity Assurance Framework for Review and Comment http://www.projectliberty.org/liberty/content/download/3736/24651/file/liberty -identity-assurance-framework-v1.0.pdf

Thank You Any Questions? Please get involved!