Functional Model Workstream 1: Functional Element Development.
-
Upload
gwendolyn-jordan -
Category
Documents
-
view
221 -
download
0
Transcript of Functional Model Workstream 1: Functional Element Development.
Functional Model Workstream 1: Functional Element Development
Background: Excerpt from the Functional Model AHG Terms of Reference
Background: At the July 2013 plenary meeting in Boston, the Security Committee offered to steward the progression of the IDESG functional model work. Some preliminary work had previously been done under the auspices of the Standards Committee. The consensus out of the Plenary meeting in Boston was that these activities should be carried forward by the Security Committee. These Terms of Reference recite the basis for this work, and establish an Ad Hoc Group under the Security Committee to which all IDESG members are invited to participate.
Purpose: The purpose of the Functional Model AHG is to define Functional Elements of identity ecosystems, which can be combined to implement identified and sustainable IDESG Use Cases.
The functional model that comprises such Functional Elements can be used to:a) characterize the adoption of the NSTIC Guiding Principles by identity systems;b) explore comparability among existing identity trust frameworks; c) provide a basis for other deliverables within IDESG, such as evaluation methodologies; and d) articulate a proposed model of identity functional areas with elements that can be articulated to the broader identity community.
Deliverables:A document describing the identity functional areas, including a diagram, entitled “IDESG Functional Model(s) Definition” will be produced.
Functional Element Development Lifecycle
IDENTIFY
CONSOLIDATE
DESCRIBE
DISCUSS
SELECT
TEST
Reduce Use Cases to common functional elements
Consolidate and disaggregate common elements (as necessary)
Develop list and describe each functional element
Discuss relevant Functional Elements within working group
Select Functional Elements for inclusion
Test Functional Elements(s) against existing and future use cases, models, and architectures
Functional Element Goals/Objectives
• Create a modular, flexible, and adaptive set of functional elements that can be effectively applied to the broadest possible collection of use cases, frameworks, and identity models.
• Establish functional elements in such a way that requirements can be written to them and assessed against them.
• Thus, the Functional Elements should:o Provide a basis set of functional elements that can be combined to support
NSTIC pilot and IDESG Use Caseso Be implementable by various Actors within the identity ecosystem to fulfil
required Roleso Help to delineate the responsibilities of various Actors in the identity
ecosystem so that accountability for privacy/security/legal requirements is clear.
o Define the functional elements that can be assessed by certification providers to provide interoperable functional components.
Functional Element Key Terms
• Functional Elements- The foundational set of functions and operations that occur within the Identity Ecosystem. o Not every function or operation is a Functional Elemento Items were included for their common applicability across most
environments, technologies, and transaction types.
• Deliverable team defined two types of functional elements:o Core Operations- High level actions that will likely be integral to most
Identity Ecosystem use cases, frameworks, and architectures.o Functions- Common functions that support the execution and completion
of the Core Operations.
Core Operations & Functions
• Registrationo Functions: Application, Data Request, Submission of Data, Attribute
Verification (Identity Proofing), Eligibility Determination • Credential Provisioning
o Functions: Credential Issuance/Association, Token binding, Attribute Binding
• Authenticationo Functions: Access Request, Credential Presentation, Identity Mapping,
Credential Validation, Authentication Decision• Authorization
o Functions: Access Request Response, Access Control Policy, Data Request, Submission of Data, Attribute Verification, Authorization Decision
• System Management and Maintenanceo Functions: Revocation, Periodic Updates, Events Based Updates, Redress
Functional Element MatrixCore Operations Functions Description
Registration Set of processes that establishes the identity of an entity to the extent necessary prior to creating the digital identity and issuing a credential.
Application Process by which an entity requests initiation of registration.
Data Request Process by which an entity is notified of the attributes required for determining eligibility to create the digital identity.
Submission of Data Process for collecting identity data once an application has been received and data has been requested.
Attribute Verification (Identity Proofing)Process of confirming or denying that claimed identity attributes are correct and meet the pre-determined requirements for accuracy, assurance, etc. to the required levels.
Eligibility Determination A decision that an entity does or does not meet the pre-determined requirements of eligibility for an entitlement.
Credential Provisioning The process to bind an established digital identity with a credential.
Credential Issuance/Association Process by which ownership of a credential is transferred or confirmed.
Token Binding The process of binding a physical or electronic token to a credential.
Attribute Binding The process of binding pre-determined attributes to a credential.
Authentication Process of determining the validity of one or more credentials used to claim a digital identity.
Access Request Process by which authentication is initiated by an entity.
Credential Presentation Process by which a entity submits a credential for the purposes of authentication.
Identity Mapping Process of linking the presented credential to a stored digital identity.
Credential Validation/Verification The process of establishing the validity of the presented credential.
Authentication Decision The decision to accept or not accept the results of the credential validation process.
Functional Element Matrix (Cont.)Core Operations Functions Description
Authorization Authorization is the process of granting or denying specific requests for access to resources.
Access Request Response Process by which authorization is initiated by an entity.
Access Control Policy Rules that are executed by an access control system that defines what access an entity should be granted or denied to the resource.
Data RequestProcess by which a entity is notified of the attributes required for determining access to a specific resource; typically, these attributes for authorization have not been bound to the credential or previously available to the organization making the authorization decision.
Submission of Data Process for collecting attributes required to make a determination regarding authorization.
Attribute Verification
The process of confirming or denying that claimed attributes are correct and meet the pre-determined requirements for authorization; typically, these attributes for authorization have not been bound to the credential or previously available to the organization making the authorization decision.
Authorization DecisionThe decision to grant and deny access to a resource based on access controls that determine what operations are allowed to be performed on the resource
System Management and Maintenance Process of creating, maintaining, deactivating and deleting digital identities, credentials, and tokens within a system.
Revocation The process by which an issuing authority renders an issued credential useless for authentication to a specific digital identity.
Periodic Updates Periodic scheduled background update to determine eligibility for an entitlement.
Event Based UpdatesBackground update to determine eligibility for an entitlement as a result of changes in a entity's status (e.g., change in marital status, end of subscription, etc.)
Redress The process by which entities and organizations reconcile errors that occur during the operations and processes of an identity system.
Functional Elements Applied
Frameworks/Architectures
NIST 800-63 IdM Architecture
Registration
Credential Provisioning
Authentication Decision
7Authorization
Credential Validation
Attribute Verification
Attribute Verification (ID
Proofing)
Authentication
System Management
and Maintenance
System Management
and Maintenance
Registration
Authentication Decision
Credential Validation
Application
System Management
and Maintenance
System Management
and Maintenance
Token Binding
System Management
and Maintenance
System Management
and Maintenance
Attribute Verification (ID
Proofing)
Credential Issuance/
Association
Credential Provisioning
Access Request
Credential Presentation
Authentication
Authorization
NIST 800-63 IdM Architecture
Functional Elements Applied
Use Cases
Use Case: Four Party Authentication and Authorization
IDP RP
AP
Authentication
Access RequestCredential Presentation
Credential Validation
Identity Mapping
Credential Validation
Authentication Decision
Authorization
Attribute Verification
Access Request Response
Authorization Decision
Authenticated
Access Control Policy
Data Request
Submission of Data
User
Authorized
Use case assumes
&
Have been previously completed.
Registration Credential Provisioning
System Management
and Maintenance
System Management
and Maintenance
System Management
and Maintenance
RP
PII
AP /Identity Proofer
Credential Issuer/Manager/
Verifier
AuthN data+ PII
PII(biographics)
Daon Componentized Services– Credential service*
*From IDESG Presentation Pilot Outbrief, Dec. 2013
RP
PII
AP /Identity Proofer
Credential Issuer/Manager/
Verifier
AuthN data+ PII
PII(biographics)
Credential Presentation
Credential Validation
Authorization Decision
Authentication Decision
Authenticated
Access Control Policy
Identity Proofed
Token Binding
Daon Componentized Services– Credential service*
*From IDESG Presentation Pilot Outbrief, Dec. 2013
Attribute Binding
Credential Provisioning
Authentication
Authorization
Credential Issuance/
Association
Registration
Application
Data Request
Submission of Data
Eligibility Determination
Attribute Verification (ID
Proofing)
Access Request Response
Daon Componentized Services– Identity Service Provider*
PII
AP /Identity Proofer
Credential Issuer/Manager/
Verifier
AuthN data+ PII
PII(biographics)
RP
*From IDESG Presentation Pilot Outbrief, Dec. 2013
RP
PII
AP /Identity Proofer
Credential Issuer/Manager/
Verifier
AuthN data+ PII
PII(biographics)
Credential Presentation
Credential Validation
Authorized
Daon Componentized Services– Identity Provider Service*
*From IDESG Presentation Pilot Outbrief, Dec. 2013
Authorization Decision
Authentication Decision
Authenticated
Access Control Policy
Identity Proofed
Token Binding
Attribute Binding
Credential Provisioning
Authentication
Authorization
Credential Issuance/
Association
Registration
Application
Data Request
Submission of Data
Eligibility Determination
Attribute Verification (ID
Proofing)
Access Request Response
Further Considerations and Next Steps
• Map functional element to NSTIC derived requirementso Identify gaps, redundancies, or deficiencies.o Develop recommendations for additional security requirements.o Communicate the role of functional elements and models in requirements
development to the other committees of the IDESG.• Map functional elements to selected use cases and frameworks
o Use case and framework selectiono Develop mapping approach.o Coordination with Standards Committee.
• Additional steps to complete Functional Model?o Actors, Roles, Participants?o What level of detail? o Do we build the variations? Or, do we allow potential participants to map
their own functional models/architectures/federations to our functional elements?
Questions?