Generative AI for Technical Writer or Information Developers
NIST Identity Standards and Technologies
1. Introduction
United States Department of Commerce
National Institute of Standards and Technology
Paul Grassi, CISSP
Senior Standards and Technology
Advisor, NSTIC
Information Technology Laboratory
1401 Constitution Ave. NW, Rm. 2069
Washington, DC 20230
W: 202.482.8349
M: 703.786.8275
Email: paul.grassi@nist.gov
Background
Role
@
NIST
Approach
2. Standards and Technology Landscape
Well-‐rounded
pilots
hi<ng
diverse
user
set
Government
adop@on
Market
Discovery
ADribute
Providers
Internet
of
Things
Consumer-‐Centric
Deployment
Costs
Standards
Gaps
Embedded
Privacy
Iden@fica@on
of
policy
and
technical
overlays
NSTIC
Launch
IDE
Sustaining
2012
2013
2014
2015
Envision
It!?
True
Interoperability
3. NIST Coverage in Key Identity Services
Key
No
coverage
Par@al
coverage,
to
include
other
D/A
documenta@on
Full
coverage
Needs
refreshing
4. Where We Will Focus in FY14/15
ü Codify
privacy
enhancing
profiles
ü Enhance/Establish
‘standard’
to
establish
confidence,
trustworthiness,
and
privacy
preserva@on
(zero
knowledge,
derived,
minimal
disclosure)
ü Address
portability
of
preferred
creden@als
and
relying
party
accounts
ü Revisit
and
retool
exis@ng
standards
to
address
current
market
state
and
flex
to
innova@on
ü Develop
new
standards
that
increase
IE
par@cipa@on
ü Increase
par@cipa@on
in
commercial
open
standards
ü Mobility,
Cloud,
Shared
Services
ü Simplify,
accelerate,
and
reduce
the
cost
of
ICAM
implementa@ons
ü Focus
beyond
the
PIV
ü Establish
RP
toolkits
ü Iden@fy
and
foster
innova@on
from
untapped
sources
ü Elevate
non-‐person
en@@es
into
the
forefront
of
the
IDE/
ICAM
discussion
ü Non-‐intrusive
security
model
ü Con@nuous
monitoring
and
assessment
5. Identity Assurance – What would you think if?
De-‐coupled
proofing
strength
from
authen@ca@on
strength?
NIST
just
measured
authen@ca@on
performance/strength/usability?
Got
rid
of
LOA?
What
else
could
we
do
to
turn
these
docs
on
their
head
to
enhance
the
IE?
Developed
private
sector
companion
to
800-‐63?
6. Attributes – What Needs to Happen?
Iden@fy
and
establish
market-‐enhancing
aDribute
best
prac@ces,
guidelines,
and
standards
to
communicate
the
veracity
and
trustworthiness
of
aDributes
to
relying
par@es
or
iden@ty
and
access
management
service
or
func@on.
Meta-‐
ADribute
Confidence/
Assurance
Liability
Security
and
Privacy
Governance
Exchange
Informs
Dependent
Standards
Performance
Metrics
Risk
Tolerance
Market
ADribute
Registries
Focal
7. The Need for a Privacy Profile
BrokerAuthen@ca@on
Request
Authen@ca@on
Request
Response
+
Encrypted
ADributes
Double
Blind
Architecture
Relying
Party
CSP
User
Consent
ADribute
Provider
Response
+
Encrypted
ADributes
1
CSP/AP
can’t
know
the
RP
2
Broker
can’t
see
the
a?ributes
3
Standard
and
Protocol
AgnosBc
4
RP
can’t
know
CSP
5
Minimal
Changes
to
Infrastructure
(but
we
may
soJen
this
requirement)
8. Contact Information
United States Department of Commerce
National Institute of Standards and Technology
Paul Grassi, CISSP
Senior Standards and Technology
Advisor, NSTIC
Information Technology Laboratory
1401 Constitution Ave. NW, Rm. 2069
Washington, DC 20230
W: 202.482.8349
M: 703.786.8275
Email: paul.grassi@nist.gov