Monday, August 11, 2008

OpenID PAPE & NIST 800 63 Level 4

OpenID PAPE allows for an OP to claim that the user was authenticated consistent with the stipulations of the most stringent assurance level as defined by OMB M-04-04 and  NIST 800 63.

(Optional) The Assurance Level as defined by the National Institute of Standards and Technology (NIST) in Special Publication 800-63 (Burr, W., Dodson, D., and W. Polk, Ed., “Electronic Authentication Guideline,” April 2006.) [NIST_SP800‑63] corresponding to the authentication method and policies employed by the OP when authenticating the End User.

Value: Numeric value between 0 and 4 inclusive.
800 63 defines 'assertions' as
Assertions can be used to pass information about the claimant or the e-authentication process from the verifier to a relying party. Assertions contain, at a minimum, the name of the claimant, as well as identifying information that permits recovery of registration records. A relying party trusts an assertion based on the source, the time of creation, and attributes associated with the claimant.
Clearly, an OpenID authentication response is an assertion in the eyes of NIST (as is a SAML assertion).

But, 800 63 disallows 'assertions' at Level 4.

So, while PAPE provides a means for an OP to say 'I did NIST Level 4', NIST forbids the OP from making that claim.

Likewise, a SAML IDP would be forbidden by NIST from claiming Level 4. Unless perhaps the SubjectConfirmation was holder-of-key and not bearer?

No comments: