From IDESG Wiki
Jump to navigation Jump to search

Title: FICAM Trust Framework Provider Adoption Process (TFPAP) For Levels of Assurance 1, 2, and Non-PKI 3

Category: Relying Party Policy

Date: 9/4/2009

Creator: ICAM


Description: Defines the process the government can determine whether to approve Trust Frameworks for federal purposes. The process covers assessment package submission, value determination, comparability assessment and the adoption decision. For Levels of Assurance 1, 2, and non-PKI 3 (defined NIST SP800-63), Identity Providers and TFPs demonstrate in each of five categories (registration and issuance, tokens, token and credential management, authentication process, and assertions) the compares to the Level of Assurance for which its credentials might trusted by government applications. For Levels of Assurance 3 and 4, the document relies on the FBCA Cross-certification criteria and methodology (version 2.2 when published, now version 3.0).

Privacy: TFP member submissions are required to explain the TFPs privacy policy and requirements. Those are evaluated against the privacy criteria in Section 3.3. The criteria are (1) opt-in for positive confirmation from users before PII is disclosed, (2) for IdPs to share the minimal set of attributes, (3) for IdPs to share records of user activity, (4) for IdPs to provide users with notice of PII disclosures, for use of PII to be non-compulsory and (5) for PII to be protected after the termination of a service.

Security: The document is an information security policy.

Interoperability: The document promotes an interoperable approach to evaluating Trust Frameworks.

Terms: Adopted Authentication Scheme, Adoption, Approved Encryption Method, Assertion, Assertion Reference, Audit Criteria, Authentication, Authentication Protocol, Bearer Assertion, Biometric, Bona Fides, Certification, Claimant, Comparability, Confidentiality, Cross-certified, Cryptographic, Direct Assertion Model, E-authentication Credential, Entropy, Full Legal Name, Holder-of-key Assertion, Identity, Identity Proofing, Identity Provider, Indirect Assertion Model, Integrity, Issuance, Level Of Assurance, Min-entropy, Multi-factor Authentication, Multi-token Authentication, Network, Nonce, Non-repudiation, Out Of Band, Personal Identifying Information, Proof Of Possession Protocol, Pseudonym, Registration, Registration Authority, Relying Party, Salt, Sensitive Information, Shared Secret, Strong Man In The Middle Resistance, Strongly Bound Credentials, Subscriber, Threat, Token, Token Authenticator, Trust Criteria, Trust Framework, Trust Framework Provider, Verifier, Weak Man In The Middle Resistance, Weakly Bound Credentials