-
Notifications
You must be signed in to change notification settings - Fork 12
/
Copy pathindex.html
208 lines (168 loc) · 14.2 KB
/
index.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="theme-color" media="(prefers-color-scheme: light)" content="white">
<meta name="theme-color" media="(prefers-color-scheme: dark)" content="black">
<link rel="canonical" href="/800-63-4/">
<!-- Google Analytics -->
<!--<script type="text/javascript" id="_fed_an_js_tag" src="http://www.nist.gov/js/federated-analytics.all.min.js?agency=NIST&subagency=mml&pua=UA-66610693-1&yt=true&exts=ppsx,pps,f90,sch,rtf,wrl,txz,m1v,xlsm,msi,xsd,f,tif,eps,mpg,xml,pl,xlt,c"></script> -->
<!-- DAP Analytics -->
<script type="text/javascript" id="_fed_an_ua_tag"
src="https://dap.digitalgov.gov/Universal-Federated-Analytics-Min.js?agency=DOC&subagency=NIST&pua=UA-66610693-1&yt=true&exts=ppsx,pps,f90,sch,rtf,wrl,txz,m1v,xlsm,msi,xsd,f,tif,eps,mpg,xml,pl,xlt,c"></script>
<link rel="stylesheet" href="https://pages.nist.gov/nist-header-footer/css/nist-combined.css">
<script src="https://code.jquery.com/jquery-3.6.2.min.js" type="text/javascript"></script>
<script src="https://pages.nist.gov/nist-header-footer/js/nist-header-footer.js" type="text/javascript" defer="defer"></script>
<script src="https://unpkg.com/simple-jekyll-search/dest/simple-jekyll-search.min.js"></script>
<!-- Custom CSS -->
<link rel="stylesheet" href="/800-63-4/static/font-awesome/css/font-awesome.min.css">
<link rel="stylesheet" href="/800-63-4/static/css/NISTStyle.css">
<link rel="stylesheet" href="/800-63-4/static/css/NISTPages.css">
<!-- HTML5 shim and Respond.js IE8 support of HTML5 elements and media queries -->
<!--[if lt IE 9]>
<script src="https://oss.maxcdn.com/libs/html5shiv/3.7.0/html5shiv.js"></script>
<script src="https://oss.maxcdn.com/libs/respond.js/1.4.2/respond.min.js"></script>
<![endif]-->
<title>NIST SP 800-63 Digital Identity Guidelines</title>
<meta property="og:title" content="NIST SP 800-63 Digital Identity Guidelines"/>
<meta name="description" content="NIST Special Publication 800-63 Digital Identity Guidelines">
<meta property="og:description" content="NIST Special Publication 800-63 Digital Identity Guidelines"/>
</head>
<section class="home home-title">
<h1>NIST SP 800-63 Digital Identity Guidelines</h1>
</section>
<section class="home home-about">
<div class="section-container">
<h2 id="call-for-comments-on-second-public-draft-of-revision-4">Call for Comments on Second Public Draft of Revision 4</h2>
<p>NIST requests comments on the draft fourth revision to the four-volume suite of Special Publication 800-63, <em>Digital Identity Guidelines</em>. This publication presents the process and technical requirements for meeting the digital identity management assurance levels specified in each volume. They also provide considerations for enhancing privacy, equity, and usability of digital identity solutions and technology.</p>
<p>NIST requests that all comments be submitted by <strong>11:59pm Eastern Time on October 7, 2024</strong>. Please submit your comments to <a href="mailto:[email protected]">[email protected]</a>. See the <a href="#ntr">Note to Reviewers</a> section below for specific topics about which NIST is seeking your feedback. NIST will review all comments and make them available at the <a href="https://www.nist.gov/identity-access-management">NIST Identity and Access Management website</a>. Commenters are encouraged to use the comment template provided on the <a href="https://csrc.nist.gov/pubs/sp/800/63/4/2pd">NIST Computer Security Resource Center website</a>.</p>
<h2 id="online-versions">Available Online</h2>
<p>The online versions of the four volumes of draft SP 800-63-4 are available at:</p>
<ul class="audiences">
<li>
<div>
<a href="sp800-63.html"><img src="assets/63.png" alt="SP 800-63-4" width="150px" height="150px" /></a>
</div>
<h3><a href="sp800-63.html">SP 800-63-4</a></h3>
<h6>Digital Identity Guidelines</h6>
</li>
<li>
<div>
<a href="sp800-63a.html"><img src="assets/63a.png" alt="SP 800-63A-4" width="150px" height="150px" /></a>
</div>
<h3><a href="sp800-63a.html">SP 800-63A</a></h3>
<h6>Identity Proofing & Enrollment</h6>
</li>
<li>
<div>
<a href="sp800-63b.html"><img src="assets/63b.png" alt="SP 800-63B-4" width="150px" height="150px" /></a>
</div>
<h3><a href="sp800-63b.html">SP 800-63B</a></h3>
<h6>Authentication & Authenticator Management</h6>
</li>
<li>
<div>
<a href="sp800-63c.html"><img src="assets/63c.png" alt="SP 800-63C-4" width="150px" height="150px" /></a>
</div>
<h3><a href="sp800-63c.html">SP 800-63C</a></h3>
<h6>Federation & Assertions</h6>
</li>
</ul>
<p>PDF versions of these documents are available on the <a href="https://csrc.nist.gov/publications/detail/sp/800-63/4/draft">NIST Computer Security Resource Center</a>.</p>
<h2 id="background">Background</h2>
<p>In December 2022, NIST released the Initial Public Draft (IPD) of SP 800-63, Revision 4. Over the course of a 119-day public comment period, the authors received exceptional feedback from a broad community of interested entities and individuals. The input from nearly 4,000 specific comments has helped advance the improvement of these Digital Identity Guidelines in a manner that supports NIST’s critical goals of providing foundational risk management processes and requirements that enable the implementation of secure, private, equitable, and accessible identity systems. All of the submitted comments are available online at the <a href="https://pages.nist.gov/800-63-Public-Comments/">SP 800-63 Public Comments archive</a>. Based on this initial wave of feedback, several substantive changes have been made across all of the volumes. These changes include but are not limited to the following:</p>
<ol>
<li>Updated text and context setting for risk management. Specifically, the authors have modified the process defined in the IPD to include a context-setting step of defining and understanding the online service that the organization is offering and intending to potentially protect with identity systems.</li>
<li>Added recommended continuous evaluation metrics. The continuous improvement section introduced by the IPD has been expanded to include a set of recommended metrics for holistically evaluating identity solution performance. These are recommended due to the complexities of data streams and variances in solution deployments.</li>
<li>Expanded fraud requirements and recommendations. Programmatic fraud management requirements for credential service providers and relying parties now address issues and challenges that may result from the implementation of fraud checks.</li>
<li>Restructured the identity proofing controls. There is a new taxonomy and structure for the requirements at each assurance level based on the means of providing the proofing: Remote Unattended, Remote Attended (e.g., video session), Onsite Unattended (e.g., kiosk), and Onsite Attended (e.g., in-person).</li>
<li>Integrated syncable authenticators. In April 2024, NIST published interim guidance for syncable authenticators. This guidance has been integrated into SP 800-63B as normative text and is provided for public feedback as part of the Revision 4 volume set.</li>
<li>Added user-controlled wallets to the federation model. Digital wallets and credentials (called “attribute bundles” in SP 800-63C) are seeing increased attention and adoption. At their core, they function like a federated IdP, generating signed assertions about a subject. Specific requirements for this presentation and the emerging context are presented in SP 800-63C-4.</li>
</ol>
<p>The rapid proliferation of online services over the past few years has heightened the need for reliable, equitable, secure, and privacy-protective digital identity solutions.
Revision 4 of NIST Special Publication SP 800-63, <em>Digital Identity Guidelines</em>, intends to respond to the changing digital landscape that has emerged since the last major revision of this suite was published in 2017, including the real-world implications of online risks. The guidelines present the process and technical requirements for meeting digital identity management assurance levels for identity proofing, authentication, and federation, including requirements for security and privacy as well as considerations for fostering equity and the usability of digital identity solutions and technology.</p>
<p>Based on the feedback provided in response to the June 2020 Pre-Draft Call for Comments, research into real-world implementations of the guidelines, market innovation, and the current threat environment, this draft seeks to:</p>
<ul>
<li>Address comments received in response to the IPD of Revision 4 of SP 800-63</li>
<li>Clarify the text to address the questions and issues raised in the public comments</li>
<li>Update all four volumes of SP 800-63 based on current technology and market developments, the changing digital identity threat landscape, and organizational needs for digital identity solutions to address online security, privacy, usability, and equity</li>
</ul>
<p>NIST is specifically interested in comments and recommendations on the following topics:</p>
<ol>
<li>
<p>Risk Management and Identity Models</p>
<ul>
<li>Is the “user controlled” wallet model sufficiently described to allow entities to understand its alignment to real-world implementations of wallet-based solutions such as mobile driver’s licenses and verifiable credentials?</li>
<li>Is the updated risk management process sufficiently well-defined to support an effective, repeatable, real-world process for organizations seeking to implement digital identity system solutions to protect online services and systems?</li>
</ul>
</li>
<li>
<p>Identity Proofing and Enrollment</p>
<ul>
<li>Is the updated structure of the requirements around defined types of proofing sufficiently clear? Are the types sufficiently described?</li>
<li>Are there additional fraud program requirements that need to be introduced as a common baseline for CSPs and other organizations?</li>
<li>Are the fraud requirements sufficiently described to allow for appropriate balancing of fraud, privacy, and usability trade-offs?</li>
<li>Are the added identity evidence validation and authenticity requirements and performance metrics realistic and achievable with existing technology capabilities?</li>
</ul>
</li>
<li>
<p>Authentication and Authenticator Management</p>
<ul>
<li>Are the syncable authenticator requirements sufficiently defined to allow for reasonable risk-based acceptance of syncable authenticators for public and enterprise-facing uses?</li>
<li>Are there additional recommended controls that should be applied? Are there specific implementation recommendations or considerations that should be captured?</li>
<li>Are wallet-based authentication mechanisms and “attribute bundles” sufficiently described as authenticators? Are there additional requirements that need to be added or clarified?</li>
</ul>
</li>
<li>
<p>Federation and Assertions</p>
<ul>
<li>Is the concept of user-controlled wallets and attribute bundles sufficiently and clearly described to support real-world implementations? Are there additional requirements or considerations that should be added to improve the security, usability, and privacy of these technologies?</li>
</ul>
</li>
<li>
<p>General</p>
<ul>
<li>What specific implementation guidance, reference architectures, metrics, or other supporting resources could enable more rapid adoption and implementation of this and future iterations of the Digital Identity Guidelines?</li>
<li>What applied research and measurement efforts would provide the greatest impacts on the identity market and advancement of these guidelines?</li>
</ul>
</li>
</ol>
<p>Reviewers are encouraged to comment and suggest changes to the text of all four draft volumes of the SP 800-63-4 suite. NIST requests that all comments be submitted by 11:59pm Eastern Time on October 7th, 2024. Please submit your comments to <a href="mailto:[email protected]">[email protected]</a>. NIST will review all comments and make them available on the <a href="https://www.nist.gov/identity-access-management">NIST Identity and Access Management website</a>. Commenters are encouraged to use the comment template provided on the NIST Computer Security Resource Center website for responses to these notes to reviewers and for specific comments on the text of the four-volume suite.</p>
<p><strong>NOTE: All comments and responses are subject to release under the Freedom of Information Act (FOIA). A call for patent claims is included on page ii of each draft. For additional information, see the <a href="https://www.nist.gov/itl/publications-0/itl-patent-policy-inclusion-patents-itl-publications">Information Technology Laboratory (ITL) Patent Policy — Inclusion of Patents in ITL Publications</a>.</strong></p>
</div>
</section>
<footer role="contentInfo" class="site-footer">
<div class="section-container">
<div class="section-content">
</div>
</div>
</footer>
<script type="text/javascript">
function loadSearch() {
var sjs = SimpleJekyllSearch({
searchInput: document.getElementById('search-input'),
resultsContainer: document.getElementById('results-container'),
json: '/800-63-4/search.json'
});
}
$(function() {
// highlight normative language by adding classes
$('strong').filter(':contains("SHALL"), :contains("SHALL NOT"), :contains("SHOULD"), :contains("SHOULD NOT"), :contains("MAY"), :contains("NEED NOT"), :contains("CAN"), :contains("CANNOT"), :contains("CAPITALS")').each(function(i, el) {
var $el;
$el = $(el);
$el.addClass('normative');
});
// highlight the target
$('a:target').parent().addClass('target');
$(':target').addClass('target');
$(window).on('hashchange', function(e) {
$('.target').removeClass('target');
$('a:target').parent().addClass('target');
$(':target').addClass('target');
});
});
</script>
</body>
</html>