openid.pape.nist_auth_level800 63 defines 'assertions' as
(Optional) The Assurance Level as defined by the National Institute of Standards and Technology (NIST) in Special Publication 800-63 (Burr, W., Dodson, D., and W. Polk, Ed., “Electronic Authentication Guideline,” April 2006.) [NIST_SP800‑63] corresponding to the authentication method and policies employed by the OP when authenticating the End User.
Value: Numeric value between 0 and 4 inclusive.
Assertions can be used to pass information about the claimant or the e-authentication process from the verifier to a relying party. Assertions contain, at a minimum, the name of the claimant, as well as identifying information that permits recovery of registration records. A relying party trusts an assertion based on the source, the time of creation, and attributes associated with the claimant.Clearly, an OpenID authentication response is an assertion in the eyes of NIST (as is a SAML assertion).
But, 800 63 disallows 'assertions' at Level 4.
So, while PAPE provides a means for an OP to say 'I did NIST Level 4', NIST forbids the OP from making that claim.
Likewise, a SAML IDP would be forbidden by NIST from claiming Level 4. Unless perhaps the SubjectConfirmation was holder-of-key and not bearer?
No comments:
Post a Comment