[Openid-specs-risc] NIST 800-63-4 draft review

Tom Sato toms at vericlouds.com
Wed Sep 11 08:37:42 UTC 2024 

Hi SSF WG

This new NIST 800-63C-4 is pretty important development that needs closer look.
Specifically, with 4.8 Shared Signal, our RISC profile covers this area.
I think it will boost our industry interop activities and RISC profile adoption.

OIDF is doing a workshop on the NIST 800-63 Feedback Sessions on 19th and 20th Sept.
I think we should be there.
https://openid.net/nist-800-63-feedback-sessions/

NIST Special Publication
NIST 800-63C-4 2pd
Digital Identity Guidelines : Federation and Assertions
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63C-4.2pd.pdf

282 4.8. Shared Signaling
2283 In some environments, it is useful for the IdP and RP to send information to each
2284 other outside of the federation transaction. These signals can communicate important
2285 changes in state between parties that would not be otherwise known. The use of
2286 any shared signaling SHALL be documented in the trust agreement between the IdP
2287 and RP. Signaling from the IdP to the RP SHALL require an apriori trust agreement.
2288 Signaling from the RP to the IdP MAY be used in both apriori and subscriber-driven trust
2289 agreements.
2290 Any use of shared signaling SHALL be documented and made available to the authorized
2291 party stipulated by the trust agreement. This documentation SHALL include the events
2292 under which a signal is sent, the information included in such a signal (including any

2293 attribute information), and any additional parameters sent with the signal. The use of
2294 shared signaling SHALL be subject to privacy review under the trust agreement.
2295 The IdP SHOULD send a signal regarding the following changes to the subscriber account:
2296 * The account has been terminated.
2297 * The account is suspected of being compromised.
2298 * Attributes of the account, including identifiers other than the federated identifier
2299 (such as email address or certificate common name), have changed.
2300 * The possible range of IAL, AAL, or FAL for the account has changed.
2301 If the RP receives a signal that an RP subscriber account is suspected of compromise, the
2302 RP SHOULD review actions taken by that account at the RP for suspicious activity.
2303 The RP SHOULD send a signal regarding the following changes to the RP subscriber
2304 account:
2305 * The account has been terminated.
2306 * The account is suspected of being compromised.
2307 * A bound authenticator is added by the RP.
2308 * A bound authenticator is removed by the RP.
2309 If the IdP receives a signal that a subscriber account is suspected of compromise, the
2310 IdP SHALL review actions taken by that account at the IdP for suspicious activity. If
2311 suspicious activity is confirmed at the IdP, the IdP SHALL signal any additional RPs the
2312 subscriber account was used for during the suspected time frame.
2313 Additional signals from both the IdP and RP MAY be allowed subject to privacy and
2314 security review as part of the trust agreement.

There are other areas in the doc which we need to review as well.

Tom Sato
VeriClouds BoD

From: Openid-specs-risc <openid-specs-risc-bounces at lists.openid.net> On Behalf Of Mark Haine via Openid-specs-risc
Sent: Wednesday, September 11, 2024 4:16 AM
To: openid-specs-risc at lists.openid.net
Subject: Re: [Openid-specs-risc] NIST 800-63-4 draft review

Hi All,

You may be aware that NIST have published draft 4 of  800-63 "Digital Identity Guidelines" and are collecting feedback.

On the NIST publication page<https://csrc.nist.gov/pubs/sp/800/63/4/2pd> there are links to all of the documents.

The OpenID Foundation will be collating feedback from members and returning comments to NIST. Comments will be collected using a Google Sheet with a modified copy of the NIST Comment Template<https://docs.google.com/spreadsheets/d/1ZrgTetojhl5_ITzGaQMLt0NfgI5RAQUD/edit?gid=907386844#gid=907386844>.

For the Shared Signals Work Group the priority should look at 800-63A-4 as this document has specific references to "Fraud Management" (section 3.1.2.1 generally) and "communication of "suspected and confirmed fraud events" (section 3.1.2.1 parts 11 and 12 and 3.1.2.2 parts 3, and 6).  There are also references to fraud and shared signalling in 800-63C-4 but I don't have specific references for you yet.

Finally we suggest the following timeline for us to work with:

  *   OIDF NIST 800-63-4 Interactive Workshops<https://openid.net/nist-800-63-feedback-sessions/>       19-20th September
  *   Deadline for OIDF feedback collection                27th September
  *   Deadline for collated feedback                               7th October (NIST deadline)

Best Regards,

Mark Haine

+44 (0) 777 555 0344<tel:+447775550344> | mark.haine at oidf.org<mailto:mark.haine at oidf.org> |
[OpenID Logo]<https://www.considrd.consulting/>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-risc/attachments/20240911/5fea1580/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 6115 bytes
Desc: image001.png
URL: <http://lists.openid.net/pipermail/openid-specs-risc/attachments/20240911/5fea1580/attachment-0001.png>

More information about the Openid-specs-risc mailing list