Presentation is loading. Please wait.

Presentation is loading. Please wait.

ITU-T X.1254 | ISO/IEC 29115 An Overview of the Entity Authentication Assurance Framework.

Published byBartholomew Wilkerson Modified over 9 years ago

Similar presentations

Presentation on theme: "ITU-T X.1254 | ISO/IEC 29115 An Overview of the Entity Authentication Assurance Framework."— Presentation transcript:

1 ITU-T X.1254 | ISO/IEC 29115 An Overview of the Entity Authentication Assurance Framework

2 Current Status Goal is 2012 publication of X.1254|ISO/IEC 29115 by both SDO’s Currently –Undergoing balloting at ISO for Draft International Standard (DIS) –Expected to be “Determined” at ITU-T in February ITU-T Editor: Dick Brackney, Microsoft ISO Editor: Erika McCallister, NIST

3 Background Challenge: Protect system security and individual privacy during e-authenication over open networks. Approach: Provide an appropriate level of assurance for those transactions that require e- authentication. Based on NIST SP 800-63, e-Authentication Guidelines, June 2006 Implementation: Five Step Process

4 Five Step Process Conduct Risk Assessment Map identified risks to appropriate assurance level Select appropriate controls Validate that the implemented controls has met the required assurance level. Periodically re-assess to determine technology refresh requirements

5 Contents 1.Scope 2.Normative References 3.Definitions 4.Abbreviations 5.Conventions 6.Levels of Assurance 7.Actors 8.Entity Authentication Assurance Framework Phases 9.Management and Organizational Considerations 10.Threats and Controls 11.Service Assurance Criteria

6 Clause 1 - Scope This Recommendation | International Standard provides a framework for managing entity authentication assurance in a given context. In particular, it: –specifies four levels of entity authentication assurance; –specifies criteria and guidelines for achieving each of the four levels of entity authentication assurance; –provides guidance for mapping other authentication assurance schemes to the four LoAs; –provides guidance for exchanging the results of authentication that are based on the four LoAs; and –provides guidance concerning controls that should be used to mitigate authentication threats.

7 Clause 6 - LoAs Describes 4 Levels of Assurance (LoAs) LevelDescription 1 – LowLittle or no confidence in the asserted identity 2 – MediumSome confidence in the asserted identity 3 – HighHigh confidence in the asserted identity 4 – Very highVery high confidence in the asserted identity

8 Clause 7 - Actors Entity Credential Service Provider (CSP) Registration Authority (RA) Relying Party (RP) Verifier Trusted Third Party (TTP)

9 Clause 8 - EEAF Technical Management & Organizational Credential management phase Enrolment phase Entity authentication phase Authentication Record-keeping Credential creation Credential pre-processing Credential initialization Credential binding Credential issuance Credential activation Application and initiation Identity proofing Identity verification Service establishment Legal and contractual compliance Financial provisions Information security management and audit External service components Operational infrastructure Measuring operational capabilities Record-keeping recording Registration Credential storage Credential suspension, revocation, and/or destruction Credential renewal and/or replacement Record-keeping Normative Informative Clause 10 Threats and Controls are organized around these processes

10 Clause 9 – Management and Organizational Considerations Service Establishment Legal and Contractual Compliance Financial Provisions Information Security Management and Audit External Service Components Operational Infrastructure Measuring Operational Capabilities

11 Clause 10 – Threats and Controls Organized by phase and process of the EAAF For humans and non-person entities (NPEs)

12 Clause 11 – Service Assurance Criteria Trust framework operators that seek to comply with this Framework shall establish specific criteria fulfilling the requirements of each LoA that they intend to support and shall assess the CSPs that claim compliance with the Framework against those criteria. Likewise, CSPs shall determine the LoA at which their services comply with this Framework by evaluating their overall business processes and technical mechanisms against specific criteria.

13 Questions? Contact Information –ITU-T Editor: Dick Brackney dibrack@microsoft.com –ISO Editor: Erika McCallister erika.mccallister@nist.gov

Download ppt "ITU-T X.1254 | ISO/IEC 29115 An Overview of the Entity Authentication Assurance Framework."

Similar presentations

PKI and LOA Establishing a Basis for Trust David L. Wasley PKI Deployment Forum April 2008.

PKI and LOA Establishing a Basis for Trust David L. Wasley PKI Deployment Forum April 2008.
Appropriate Access InCommon Identity Assurance Profiles David L. Wasley Campus Architecture and Middleware Planning workshop February 2008.

Appropriate Access InCommon Identity Assurance Profiles David L. Wasley Campus Architecture and Middleware Planning workshop February 2008.
Cloud computing security related works in ITU-T SG17

Cloud computing security related works in ITU-T SG17
FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.

FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.
<<Date>><<SDLC Phase>>

<<Date>><<SDLC Phase>>
Functional component terminology - thoughts C. Tilton.

Functional component terminology - thoughts C. Tilton.
Accreditation 1. Purpose of the Module - To create knowledge and understanding on accreditation system - To build capacity of National Governments/ focal.

Accreditation 1. Purpose of the Module - To create knowledge and understanding on accreditation system - To build capacity of National Governments/ focal.
Enterprise Architecture 2014 EAAF as a vehicle for LoA Using EAAF processes to incrementally approach InCommon/UCTrust certification.

Enterprise Architecture 2014 EAAF as a vehicle for LoA Using EAAF processes to incrementally approach InCommon/UCTrust certification.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Security Controls – What Works

Security Controls – What Works
EMS Auditing Definitions

EMS Auditing Definitions
Federated Identity, Levels of Assurance, and the InCommon Silver Certification Jim Green Identity Management Academic Technology Services © Michigan State.

Federated Identity, Levels of Assurance, and the InCommon Silver Certification Jim Green Identity Management Academic Technology Services © Michigan State.
Environmental Management Systems Refresher

Environmental Management Systems Refresher
Intra-ASEAN Secure Transactions Framework Project Progress Report

Intra-ASEAN Secure Transactions Framework Project Progress Report
Office of Inspector General (OIG) Internal Audit

Office of Inspector General (OIG) Internal Audit
First Practice - Information Security Management System Implementation and ISO 27001 Certification.

First Practice - Information Security Management System Implementation and ISO Certification.
Risk Assessment Frameworks

Risk Assessment Frameworks
Appropriate Access: Levels of Assurance Stefan Wahe Office of Campus Information Security.

Appropriate Access: Levels of Assurance Stefan Wahe Office of Campus Information Security.
Use Case Development Scott Shorter, Electrosoft Services January/February 2013.

Use Case Development Scott Shorter, Electrosoft Services January/February 2013.
ISO 9001:2008: Key changes and transition process

ISO 9001:2008: Key changes and transition process

Similar presentations

Ads by Google