Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Federal E-Authentication Initiative David Temoshok Director, Identity Policy GSA Office of Governmentwide Policy February 12, 2004 The E-Authentication.

Similar presentations


Presentation on theme: "The Federal E-Authentication Initiative David Temoshok Director, Identity Policy GSA Office of Governmentwide Policy February 12, 2004 The E-Authentication."— Presentation transcript:

1 The Federal E-Authentication Initiative David Temoshok Director, Identity Policy GSA Office of Governmentwide Policy February 12, 2004 The E-Authentication Initiative

2 2 The Starting Place : Key Policy Points  No National ID.  No National unique identifier.  No central registry of personal information, attributes, or authorization privileges.  Different authentication assurance levels are needed for different types of transactions.

3 3 The E-Authentication Initiative E-Authentication Goals  Build and enable mutual trust needed to support wide spread use of electronic interactions between the public and Government, and across Governments  Minimize the burden on public when obtaining trusted electronic services from the Government, and across the governments  Deliver common interoperable authentication solutions, appropriately matching the levels of risk and business needs

4 4 The E-Authentication Initiative eAuthentication Technical Approach E-Authentication Mission OMB-04-04 e-Authentication Guidance for Federal Agencies NIST Spec Pub 800-63 Recommendation for Electronic Authentication Strategic Business & Finance Plans E-RA, PIA, and C &A reviews Accredited CSP Trust List CAF SAMLPKI Other Tech Specs E-Authentication Key Building Blocks Adopted Federated Identity Schemes

5 5 The E-Authentication Initiative Governments Federal States/Local International Higher Education Universities Higher Education PKI Bridge Healthcare American Medical Association Patient Safetty Institute Travel Industry Airlines Hotels Car Rental Trusted Traveler Programs Central Issue with Federated Identity – Who do you Trust? E-Commerce Industry ISPs Internet Accounts Credit Bureaus eBay Trust Network Financial Services Industry Home Banking Credit/Debit Cards Absent a National ID and unique National Identifier, the e-Authentication initiative will establish trusted credentials/providers at determined assurance levels.

6 6 The E-Authentication Initiative The Need for Federated Identity Trust and Business Models  Technical issues for sharing identities are being solved  Trust is critical issue for deployment of federated identity Federated ID networks have strong need for trust assurance standards How robust are the identity verification procedures? How strong is this shared identity? How secure is the infrastructure?  Common business rules are needed for federated identity to scale N 2 bi-lateral trust relationships is not a scalable business process Common business rules are needed to define: Trust assurance and credential strength Roles, responsibilities, of CSPs and relying parties Liabilities Business relationship costs  Federal e-Authentication Initiative will provide trust framework to integrate (policy, technology, business relationships) across disparate and independent identity systems

7 7 The E-Authentication Initiative Authentication Assurance Levels M-04-04:E-Authentication Guidance for Federal Agencies establishes 4 authentication assurance levels NIST SP800-63 Electronic Authentication NIST technical guidance to match technology implementation to a level Level 4Level 3Level 2Level 1 Little or no confidence in asserted identity (e.g. self identified user/password) Some confidence in asserted identity (e.g. PIN/Password) High confidence in asserted identity (e.g. digital cert) Very high confidence in the asserted identity (e.g. Smart Card)

8 8 The E-Authentication Initiative OMB Authentication Guidance  M-04-04 Signed by OMB Director on 12/16/2003  Supplements OMB Guidance on implementation of GPEA  Establishes 4 identity authentication assurance levels  Requires agencies to conduct “e-authentication risk assessments” Result: A more consistent application of electronic authentication across the Federal Government

9 9 The E-Authentication Initiative NIST SP 800-63: Recommendation for Electronic Authentication  Maps to OMB E-Authentication guidance  Covers conventional token based remote authentication May be additional guidance on “knowledge based authentication”  Draft for comment at: http://csrc.nist.gov/eauthhttp://csrc.nist.gov/eauth  Comment period ends: March 15

10 10 The E-Authentication Initiative Part of a Larger Policy Framework Federal Identity Credentialing Component Credential Assessment Framework Federal PKI Bridge Certificate Policy NIST Authentication Technical Guidance E-Authentication Guidance for Federal Agencies FINAL: OMB M-04-04, December 16, 2003 SP800-63, Out for Comment Jan 29, 2004, Expected Final April 2004 Expected final March 04 Interim version now final and Posted on Web Policies Ongoing

11 11 The E-Authentication Initiative e-Authentication Trust Model for Federated Identity 3. Establish technical assurance standards for e-credentials and credential providers (NIST Special Pub 800-63 Authentication Technical Guidance) 1. Establish e-Authentication risk and assurance levels for Governmentwide use (OMB M-04-04 Federal Policy Notice 12/16/03) 4. Establish methodology for evaluating credentials/providers on assurance criteria (Credential Assessment Framework) 2. Establish standard methodology for e-Authentication risk assessment (ERA) 5. Establish trust list of trusted credential providers for govt-wide (and private sector) use 6. Establish common business rules for use of trusted 3rd-party credentials

12 12 The E-Authentication Initiative Credential Assessment Profiles (CAPS Credential Assessment Profiles (CAPS The CAF Suite for Assessing Credentials Credential Assessment Profiles (CAPS Credential Assessment Profiles (CAPS Credential Assessment Guide (CAG) Credential Assessment Framework (CAF) PINs PASSWORDS PKI Based on OMB policy and NIST Technical guidance, the CAF establishes the structured means for providing assurances to Federal agencies regarding the veracity and dependability of identity credentials and tokens. The CAF provides structured procedures for conducting the assessment of CSPs and credentials. The CAPs establish the assessment criteria for each type of credential technology (e.g., PIN, password, PKI).

13 13 The E-Authentication Initiative e-Authentication Trust and Interoperability The e-Authentication Initiative acts as Trust Broker to provide Trust Assurance services for Fed Agencies Manages relations among Agency Applications (relying parties) and Credential Service Providers (issuers) Administers Authentication policy Framework Establishes and administers common business rules for the relationships among the parties Administers common interface specs Performs credential assessments Authorizes CSPs on trust list according to standardized assurance levels Provides C & A and regular audit & ensures compliance Trust Broker CSP AA CSP AA Common Policies & Business Rules Common Interface Specs Policy, Technical, & Business Interoperability

14 14 The E-Authentication Initiative The Need for the Electronic Authentication Partnership State/Local Governments Industry Policy Authentication Assurance levels Credential Profiles Accreditation Business Rules Privacy Principles Technology Adopted schemes Common specs User Interfaces APIs Interoperable COTS products Authz support Federal Government Commercial Trust Assurance Services Policy, Technical, & Business Interoperability Common Business and Operating Rules CSP RP http://www.eapartnership.org/

15 15 The E-Authentication Initiative For More Information Phone E-mail David Temoshok 202-208-7655david.temoshok@gsa.gov Websites http://cio.gov/eauthentication http://www.eapartnership.org/ http://cio.gov/fpkipa


Download ppt "The Federal E-Authentication Initiative David Temoshok Director, Identity Policy GSA Office of Governmentwide Policy February 12, 2004 The E-Authentication."

Similar presentations


Ads by Google