Wednesday, January 25, 2006

imho The Great Chain of Identity Assurances

All:

Strong end-to-end assurance is the foundation of trusted e-business and regulatory compliance. Assurance is a concept that can and should be applied to the whole of identity and trust management—including the new worlds of federated identity management (IdM) and federated data interchange--though it has historically been defined primarily in the electronic authentication and PKI worlds.

Traditionally, security professionals have defined assurance in terms of discrete “levels” that PKI and other credentials providers implement in their technical and business models. In that context, assurance levels—either enumerated (e.g., levels one through four) or named (e.g., basic, medium, high)—refer to a constellation of processes, protocols, formats, infrastructures, and other safeguards and controls implemented by certificate authorities, registration authorities, and other roles within an identity, trust, and security environment.

Organizations should describe their supported identity-assurance levels in published identity policy and practice statements. Vertical industry sectors should strongly consider defining standard federated identity policy and practice statements formats and rules that are applicable to all firms doing business in those markets. Furthermore, vertical sectors should consider relying on trusted third parties (trusted third parties) to vet and certify organizations’ published federated identity policy and practice statementss for compliance with accepted standards. In this way, all trading partners in a particular industry might be able to rely more thoroughly on the trustworthiness of each others federated IdM “claims,” “tokens,” or “assertions,” knowing that all participants’ federated IdM procedures have been certified to a common standard.

Within a federated identity/trust environment, trusted third parties can provide some critical assurance services: vetting, certifying, and vouching for the equivalence of all organizations’ compliance with common IdM and PKI assurance policies, best practices, and standards. In pursuing such an approach, the B2B e-business communities would be ensuring that any federated identity policy and practice statements-compliant company is eligible to participate in the community’s federated IdM environment. For example, the identity policy and practice statement standard might prescribe mandatory identity and account management policies, procedures, and practices rules applicable to export/import control throughout a multinational B2B supply chain that includes dozens to thousands of firms. Similarly, the community-wide federated identity policy and practice statements standard might specify minimum privacy-protection safeguards that all companies would need to meet in order to pass regulatory muster in all participating nations. From an efficiency perspective, a trusted third party should certify companies’ compliance with federated identity policy and practice statements standards. In this way, this trusted third party can perform a function analogous (and complementary) to the bridge certificate authorities of the PKI world.

To serve the relying parties in federated IdM interactions, IdPs should be able to generate assertions that attest strongly to their federated identity assurance level, as published in their federated identity policy and practice statements and certified by a federated identity policy and practice statements trusted third party. One critical piece of information that these assertion messages might contain is a description of the assurance level—such as two-factor authentication—associated with a particular login. The relying party would use this information in determining whether authentication had been done at a high enough assurance level for the requested resource (such as a highly sensitive operational database). Ideally, a relying party should also have visibility into the policies, practices, and controls implemented at the IdP. This knowledge would enable the relying party to determine whether the IdP has issued its assertions pursuant to sound, secure operating practices. The more trustworthy the IdP’s policies and practices, the more trustworthy the assertions issued by that IdP.

Of course, it’s not enough for an organization to simply assert that it complies with particular IdM policies. For other organizations to fully rely on a particular federated identity policy and practice statements, an IdP would first have had to gain certification from a trusted third party that had investigated and vetted that IdP’s internal procedures and controls. The trusted third party would then issue a digital signing certificate which the IdP would use to digitally sign identity assertions, confirming the IdP’s adherence to a particular established and published IdM federation policy. The trusted third party might, within its federated identity policy and practice statements-compliance assertion, also vouch for the mapping or equivalence between the IdP’s identity policy and practice statement and those of the relying firm, or the standard federated identity policy and practice statements for a particular vertical market, nation, or community. Other domains would be able to rely on those trusted third party-issued federated identity policy and practice statements compliance and equivalence assertions when deciding whether to trust that IdP’s authentication and attribute assertions. In this way, through trusted third parties, federated IdM environments can establish multilateral trust for strong authentication, SSO, RBAC, and other services. Consequently, the trusted third party becomes the hub of a federated B2B “community of trust,” providing the critical services of IdP identity policy and practice statement policy definition, vetting, mapping, certification, and vouching.

Conceivably, one could define a chain of identity assurances that each IdP would assert in its federated identity policy and practice statements. Fundamentally, identity assurance is defined by the degree to which a person’s online actions can be tracked and measured against an IdM best practice to which their IdP has committed in its federated identity policy and practice statements. Strong identity assurance could be predicated on the extent to which a given identity’s online interactions can be strongly associated, bound, or linked to demonstrated norms of IdM “best practice,” per applicable laws, regulations, policies, and industry best practices.

The chain of identity assurance associates the actions that a user takes in an online session with the consequences of those actions:

  • Assurance of association between an online session and a credential: This requires client-signed session assertions, signed cookies, or other means for strongly binding an online session to a credential under which a user logged into that session. In turn, client-signed session assertions or cookies require PKI X.509 end-entity digital signature certificates and private keys. All that, in turn, requires strong PKI assurance.
  • Assurance of association between a credential and a digital identity: This requires PKI X.509 end-entity identity certificates, which cryptographically bind an identity’s private identity key to the corresponding public key, and to a unique identifier such as UPN, X.500 DN, or UPN.
  • Assurance of association between a digital identity and a real person: This requires PKI registration authorities to issue and renew X.509 end-entity certificates only after in-person proofing/vetting that involves having a real person present a government-issued picture ID and other supporting identifying documentation. It also requires that the request for registration or renewal of a PKI certificate/token obtain all necessary administrative approvals within the IDP that has issued the unique identifier that will (upon certificate issuance) be cryptographically bound to a public key (published in the certificate) and a private key (to which only that real person will have authorized access). In addition, provisioning of certificates to proofed users should only follow user authentication to the CA through entry of a one-time secret proofing passcode provided at proofing time by a trusted agent of the CA.
  • Assurance of association between a real person and an IdP: This requires that the IdP that issued the unique identifier published in the real person’s end-entity PKI certificates maintain that identifier in a published master directory administered and controlled by the IdP. The IDP’s master directory must securely and reliably synchronize, replicate, and/or publish that master identity information to other directories and repositories, or vouch via SAML authentication or attribute assertions for its continued registration in the master directory. In addition, the IdP must use identity information in that master directory to drive the automated provisioning and deprovisioning of accounts associated with real persons.
  • Assurance of association between an IdP and an IdP-asserted federated identity policy and practice statements: This requires that IdPs digitally sign any federated identity policy and practice statements that they assert with a digital signing private key held by an authorized corporate officer.
  • Assurance of association between an IdP-asserted federated identity policy and practice statements and a trusted third party-published federated identity policy and practice statements: This requires that one or more trusted third parties develop and publish standard federated identity policy and practice statements formats. It also requires that trusted third parties investigate, vet, and certify equivalence or conformance between an IdP-asserted federated identity policy and practice statements and a trusted third party-published federated identity policy and practice statements.
  • Assurance of association between a trusted third party-published identity policy and practice statement and trusted third party-vouched observation of identity’s demonstrated compliance with norms of IdM “best practice”: This requires that one or more trusted third parties track, monitor, and audit real people’s online behavior. It also requires that trusted third parties determine the degree to which that behavior conforms to the norms of IdM best practice that they and their IdPs have pledged to comply with, in the form of published identity policy and practice statement.

This last point is where federated IdM assurance environments would perform a critical role in stamping out phishing, pharming, and other crimes against e-business assurance. Identity theft, fraud, and impersonation violate all norms of IdM best practice, and also are criminal and civil offenses in a growing number of jurisdictions. Any real person that commits identity theft, and any IdP that actively or tacitly supports such behavior, might be held legally accountable for their behavior.

A well-architected federated IdM assurance environment would provide the identity, security, policy, management, and procedural controls necessary to prevent, detect, eliminate, and punish these violations of e-business trust.

Jim