1 / 13

ITU-T X.1254 | ISO/IEC 29115

ITU-T X.1254 | ISO/IEC 29115. An Overview of the Entity Authentication Assurance Framework. Current Status. Goal is 2012 publication of X.1254|ISO/IEC 29115 by both SDO’s Currently Undergoing balloting at ISO for Draft International Standard (DIS)

zuzela
Download Presentation

ITU-T X.1254 | ISO/IEC 29115

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ITU-T X.1254 | ISO/IEC 29115 An Overview of the Entity Authentication Assurance Framework

  2. Current Status • Goal is 2012 publication of X.1254|ISO/IEC 29115 by both SDO’s • Currently • Undergoing balloting at ISO for Draft International Standard (DIS) • Expected to be “Determined” at ITU-T in February • ITU-T Editor: Dick Brackney, Microsoft • ISO Editor: Erika McCallister, NIST

  3. Background • Challenge: Protect system security and individual privacy during e-authenication over open networks. • Approach: Provide an appropriate level of assurance for those transactions that require e-authentication. • Based on NIST SP 800-63, e-Authentication Guidelines, June 2006 • Implementation: Five Step Process

  4. Five Step Process • Conduct Risk Assessment • Map identified risks to appropriate assurance level • Select appropriate controls • Validate that the implemented controls has met the required assurance level. • Periodically re-assess to determine technology refresh requirements

  5. Contents • Scope • Normative References • Definitions • Abbreviations • Conventions • Levels of Assurance • Actors • Entity Authentication Assurance Framework Phases • Management and Organizational Considerations • Threats and Controls • Service Assurance Criteria

  6. Clause 1 - Scope • This Recommendation | International Standard provides a framework for managing entity authentication assurance in a given context. In particular, it: • specifies four levels of entity authentication assurance; • specifies criteria and guidelines for achieving each of the four levels of entity authentication assurance; • provides guidance for mapping other authentication assurance schemes to the four LoAs; • provides guidance for exchanging the results of authentication that are based on the four LoAs; and • provides guidance concerning controls that should be used to mitigate authentication threats.

  7. Clause 6 - LoAs • Describes 4 Levels of Assurance (LoAs)

  8. Clause 7 - Actors • Entity • Credential Service Provider (CSP) • Registration Authority (RA) • Relying Party (RP) • Verifier • Trusted Third Party (TTP)

  9. Technical Management&Organizational Enrolmentphase • Application and initiation • Identity proofing • Identity verification • Record-keeping recording • Registration • Service establishment • Legal and contractual compliance • Financial provisions • Information security management and audit • External service components • Operational infrastructure • Measuring operational capabilities • Credential creation • Credential pre-processing • Credential initialization • Credential binding • Credential issuance • Credential activation • Credential storage • Credential suspension, revocation, and/or destruction • Credential renewal and/or replacement • Record-keeping Credential managementphase Entity authentication phase • Authentication • Record-keeping Clause 8 - EEAF Normative Informative Clause 10 Threats and Controls are organized around these processes

  10. Clause 9 – Management and Organizational Considerations • Service Establishment • Legal and Contractual Compliance • Financial Provisions • Information Security Management and Audit • External Service Components • Operational Infrastructure • Measuring Operational Capabilities

  11. Clause 10 – Threats and Controls • Organized by phase and process of the EAAF • For humans and non-person entities (NPEs)

  12. Clause 11 – Service Assurance Criteria • Trust framework operators that seek to comply with this Framework shall establish specific criteria fulfilling the requirements of each LoA that they intend to support and shall assess the CSPs that claim compliance with the Framework against those criteria. Likewise, CSPs shall determine the LoA at which their services comply with this Framework by evaluating their overall business processes and technical mechanisms against specific criteria.

  13. Questions? • Contact Information • ITU-T Editor: Dick Brackney • dibrack@microsoft.com • ISO Editor: Erika McCallister • erika.mccallister@nist.gov

More Related