NISTIR 7817

Title: A Credential Reliability and Revocation Model for Federated Identities

URL: http://csrc.nist.gov/publications/drafts/nistir-7817/Draft-NISTIR-7817.pdf

Version: Draft

Date: November 2012

Author: NIST

Use Cases: Enterprise SSO, Two Party Delegation, Three Party Authentication, Four Party Authentication and Authorization, Blacklist, Reliability Scoring, Credential Revocation

Abstract

A large number of Identity Management Systems (IDMSs) are being deployed worldwide that use different technologies for the population of their users. With the diverse set of technologies, and the unique business requirements for organizations to federate, there is no uniform approach to the federation process. Similarly, there is no uniform method to revoke credentials or their associated attribute(s) in a federated community. In the absence of a uniform revocation method, this document seeks to investigate credential and attribute revocation with a particular focus on identifying missing requirements. This document first introduces and analyzes the different types of digital credentials and identifies missing revocation-related requirements for each model in a federated environment. As a second goal, and as a by-product of the analysis and recommendations, this paper suggests a credential reliability and revocation service that serves to address the missing requirements.

Terms Used (no actual glossary)

Identity Provider, user community, digital credential, digital identity, federated community, two-party model, three-party model, four-party model, enterprise SSO, two party delegation, service provider, third-party service, reporting service, blacklist, federation revocation service, single-source attribute provider, multi-source attribute provider, attribute aggregation, aggregation agent, uniform reliability and revocation service