Credential Service Provider: Difference between revisions

From IDESG Wiki
Jump to navigation Jump to search
 
(18 intermediate revisions by the same user not shown)
Line 1: Line 1:
Taxonomy Template:
Taxonomy Template:
==Proposed Definition==
==Definition==
#A trusted entity that issues or registers Subscriber tokens and issues electronic credentials to Subscribers. The CSP may encompass Registration Authorities (RAs) and Verifiers that it operates. A CSP may be an independent third party, or may issue credentials for its own use.
A ''[[Trusted Entity]]'' that issues or registers subscriber authenticators and issues [verifications of] electronic credentials to subscribers. A CSP may be an independent third party or [it may] issue credentials for its own use.
#An entity that performs identity proofing, registration and issues some form of a subscriber token within some procedural context designed to convey a degree of trust.(Wallace)
#A trusted entity that issues credentials to Subscribers.(D'Agostino)


==Notes==
==Context==
TBD
* Each federation must establish rules for determining how a [[Trusted Entity]] will be accepted for inclusion in a registry by the federation's [[Accreditation Authority]]. (See details below for federation assurance.)
* In other words, each federation must understand what they mean by [[Trusted Entity]] as the CSP will have the authority to validate credentials under the federations rules.
* The slight change to the NIST wording was to meant to clarify that subscribers (or subjects) can create their own credentials is protected storage and ask the CSP to verify the security of those credentials.
* Federation Agreement = a document, or group of documents, that contain the agreed upon “rules” by which the federation operates.


== Sources ==
== Sources ==
TBD
# A trusted entity that issues or registers subscriber authenticators and issues electronic credentials to subscribers. A CSP may be an independent third party or issue credentials for its own use. ([https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-3.pdf NIST SP 800-63-3])/
# A trusted entity that issues or registers Subscriber tokens and issues electronic credentials to Subscribers. The CSP may encompass Registration Authorities (RAs) and Verifiers that it operates. A CSP may be an independent third party, or may issue credentials for its own use. (Original proposal from IDESG)
#An entity that performs identity proofing, registration and issues some form of a subscriber token within some procedural context designed to convey a degree of trust.(Wallace)
#A trusted entity that issues credentials to Subscribers.(D'Agostino)
# Credential Service Provider: an organization which provides the functions of an [electronic] Identity Proofing and Credential Management Service, either in full or as a discrete component (i.e., a sub-set of the functions). - Kantara IAWG


== Status ==
== Status ==
<span style="background: yellow">Proposed</span>
<span style="background: orange">Proposed Update</span>


== Details ==
* For basic levels of assurance the CSP can  provided verified attributes, but these should be treated by any relying party as self-asserted. (IAL1, AAL1 and FAL1)
* For higher levels of identity assurance the CSP must verify (IAL2) remote or (IAL3) physically present identity proofing, including pseudonymous identity.
* For higher levels of authentication assurance the CSP must verify proof of possession and control of (AAL2) two factors or (AAL3) a hardware-based authenticator of 2 factors.
* For higher levels of federation assurance the CSP must verify (FAL2) approved encryption or (FAL3) proof of possession and approved encryption.


==References==
==References==
* [https://pages.nist.gov/800-63-3/ NIST Digital Identity Guidelines]
* [https://kantarainitiative.org/identity-assurance-framework/ Kantara Identity Assurance Documents]
* [https://kantarainitiative.org/confluence/display/healthidassurance/File+Lists Kantara Health Identity Assurance Documents]
* [https://kantarainitiative.org/confluence/display/WT/Draft+Recommendations Kantara Federated Identites Documenst]


[[Category:Taxonomy]]
[[Category:Glossary]]
[[Category:Glossary]]
[[Category:Concept]]
[[Category:Concept]]

Latest revision as of 01:56, 15 May 2020

Taxonomy Template:

Definition

A Trusted Entity that issues or registers subscriber authenticators and issues [verifications of] electronic credentials to subscribers. A CSP may be an independent third party or [it may] issue credentials for its own use.

Context

  • Each federation must establish rules for determining how a Trusted Entity will be accepted for inclusion in a registry by the federation's Accreditation Authority. (See details below for federation assurance.)
  • In other words, each federation must understand what they mean by Trusted Entity as the CSP will have the authority to validate credentials under the federations rules.
  • The slight change to the NIST wording was to meant to clarify that subscribers (or subjects) can create their own credentials is protected storage and ask the CSP to verify the security of those credentials.
  • Federation Agreement = a document, or group of documents, that contain the agreed upon “rules” by which the federation operates.

Sources

  1. A trusted entity that issues or registers subscriber authenticators and issues electronic credentials to subscribers. A CSP may be an independent third party or issue credentials for its own use. (NIST SP 800-63-3)/
  2. A trusted entity that issues or registers Subscriber tokens and issues electronic credentials to Subscribers. The CSP may encompass Registration Authorities (RAs) and Verifiers that it operates. A CSP may be an independent third party, or may issue credentials for its own use. (Original proposal from IDESG)
  3. An entity that performs identity proofing, registration and issues some form of a subscriber token within some procedural context designed to convey a degree of trust.(Wallace)
  4. A trusted entity that issues credentials to Subscribers.(D'Agostino)
  5. Credential Service Provider: an organization which provides the functions of an [electronic] Identity Proofing and Credential Management Service, either in full or as a discrete component (i.e., a sub-set of the functions). - Kantara IAWG

Status

Proposed Update

Details

  • For basic levels of assurance the CSP can provided verified attributes, but these should be treated by any relying party as self-asserted. (IAL1, AAL1 and FAL1)
  • For higher levels of identity assurance the CSP must verify (IAL2) remote or (IAL3) physically present identity proofing, including pseudonymous identity.
  • For higher levels of authentication assurance the CSP must verify proof of possession and control of (AAL2) two factors or (AAL3) a hardware-based authenticator of 2 factors.
  • For higher levels of federation assurance the CSP must verify (FAL2) approved encryption or (FAL3) proof of possession and approved encryption.

References