120 likes | 242 Views
Functional component terminology - thoughts. C. Tilton. IDE Functional Components. 800-63 Model. Identity. NSTIC Digital Identity a set of attributes that represent a subject in an online transaction. 800-63 A set of attributes that uniquely describe a person within a given context .
E N D
Identity NSTIC • Digital Identity • a set of attributes that represent a subject in an online transaction 800-63 • A set of attributes that uniquely describe a person within a given context.
Credential/Token NSTIC • Credential - the information objects used during a transaction to provide evidence of the subject’s identity The credential may also provide a link to the subject’s authority, roles, rights, privileges, and other attributes. • Credential medium - a device or object (physical or virtual) used for storing one or more credentials, claims, or attributes related to a subject 800-63 • Credential - An object or data structure that authoritatively binds an identity (and optionally, additional attributes) to a token possessed and controlled by a Subscriber. • While common usage often assumes that the credential is maintained by the Subscriber, this document also uses the term to refer to electronic records maintained by the CSP which establish a binding between the Subscriber’s token and identity. • Token - Something that the Claimant possesses and controls (typically a cryptographic module or password) that is used to authenticate the Claimant’s identity.
Identity Provider NSTIC • Responsible for establishing, maintaining, and securing the digital identity associated with that subject. • These processes include revoking, suspending, and restoring the subject’s digital identity if necessary. • The identity provider may also verify the identity of and sign up (enroll) a subject • Alternatively, verification and enrollment may be performed by a separate enrolling agent. 800-63 • Term not used
Attribute Provider NSTIC • Responsible for the processes associated with establishing and maintaining identity attributes • Attribute maintenance includes validating, updating, and revoking the attribute claim • An attribute provider asserts trusted, validated attribute claims in response to attribute requests from relying parties • In certain instances, a subject may self-assert attribute claims to relying parties • Trusted, validated attributes inform relying parties’ decision to authorize subjects. 800-63 • Term not used
Credential Service Provider NSTIC • Term not used 800-63 • A trusted entity that issues or registers Subscriber tokens and issues electronic credentials to Subscribers. • The CSP may encompass Registration Authorities (RAs) and Verifiers that it operates. • A CSP may be an independent third party, or may issue credentials for its own use.
Registration Authority NSTIC • Enrolling agent - verify the identity of and sign up (enroll) a subject • May be part of an IDP or separate 800-63 • A trusted entity that establishes and vouches for the identity or attributes of a Subscriber to a CSP. • The RA may be an integral part of a CSP, or it may be independent of a CSP, but it has a relationship to the CSP(s).
Verifier NSTIC • Term not used 800-63 • An entity that verifies the Claimant’s identity by verifying the Claimant’s possession and control of a token using an authentication protocol. • To do this, the Verifier may also need to validate credentials that link the token and identity and check their status.
Relying Party NSTIC • Makes transaction decisions based upon its receipt, validation, and acceptance of a subject’s authenticated credentials and attributes. • Within the Identity Ecosystem, a relying party selects and trusts the identity and attribute providers of their choice, based on risk and functional requirements. • Relying parties are not required to integrate with all permutations of credential types and identity media Rather, they can trust an identity provider’s assertion of a valid subject credential, as appropriate • Relying parties also typically need to identify and authenticate themselves to the subject as part of transactions in the Identity Ecosystem • Relying parties can choose the strength of the authentication and attributes required to access their services 800-63 • An entity that relies upon the Subscriber's token and credentials or a Verifier's assertion of a Claimant’s identity, typically to process a transaction or grant access to information or a system.
Other possible functions/roles • Identity repository • Identity binding (of identity/attributes to a credential) • Identity cross-validation