Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

Https

The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Got trust? Seeking public comment on new NIST publication for developing trust frameworks to support identity federation

Some communities and organizations that share common user bases and transaction types are addressing challenges to users’ privacy and security by allowing users to access multiple services through common login processes. This approach – known as federated identity management – enables users to access multiple online organizations and services through shared authentication processes, instead of authenticating separately with each service provider.

Federated identity management is based on trust, especially between the organizations and service providers that use it. The “rules” for federated identity management are known as “trust frameworks” and the organizations that agree to follow such rules and participate are known as “identity federations.”  

Want to know more about trust frameworks?

Check out today’s release of draft NIST Internal Report (NISTIR) 8149: Developing Trust Frameworks to Support Identity Federation. This document provides an informational look at trust frameworks and explains what they are, what their components are, and how they relate to the concept of identity federation. We’re seeking feedback from the stakeholder community on this draft as well and would love to get your feedback—see below for details.

Why now?

The major end goal is simple: to facilitate the widespread adoption of trust frameworks for organizations and the communities that benefit from them. Trust frameworks aren’t new, so this document doesn’t intend to introduce them to the public. Rather, the draft NISTIR aims to educate communities interested in pursuing federated identity management as they try to establish the agreements that will make up the framework. It includes guidance on determining roles in an identity federation, what to consider from a legal standpoint, and understanding the issues of establishing and recognizing conformance.

Additionally, we hope we can help standardize the language around identity federation and trust frameworks in the future to contribute to a common understanding of the concepts.

What’s the central issue?

Online service providers are struggling more and more to find ways that are secure and protect user privacy to verify that their consumers are who they say they are. The default solution up until now has been to require consumers to register and create an account each time they access a new service, but this requires additional effort from service providers and puts the burden on consumers to keep track of many different accounts and login details. Remembering passwords for every single account is not practical and many consumers are ignoring well-known security best practices that recommend not reusing usernames and passwords between sites. Additionally, convincing users to adopt multi-factor authentication is that much harder when we must ask them to do so across dozens of sites.

Draft NISTIR 8149 covers all the critical topics of trust frameworks, including roles and responsibilities, framework components and rules, legal structures (including risk and liability), and establishing and recognizing conformance. We won’t go into the details here, so please take a look at the draft.

How to comment  

Like so many of our documents, it won’t be complete without feedback from our stakeholders; we rely on you telling us what we got wrong and what we outright missed.

Because of the positive feedback we continue to receive on our other documents hosted on GitHub, we’re doing so again via our NISTIR 8149 GitHub page. You can conveniently access the repository’s ‘Issues’ tab, where you can contribute comments via a form. Using that tab, you can summarize your suggested changes and submit them for further discussion in a forum-style format. More instructions on this are available online.

Also, given that this is a more narrative style document, we understand that it might be easier for some to submit comments through a good old fashioned comment matrix. If so, please use this matrix and send it to trustframeworks@nist.gov. These comments will likely get added by us to GitHub for maximum transparency and collaboration—so please anticipate that any feedback emailed to us will be made public.

The 30-day open comment period is from October 3rd – November 1st, 2016.

While NIST is better known for its focus on developing standards and technology, we never lose sight of the many enablers of technology that can make or break a market. A sustainable marketplace requires active work to establish the organizational structures and agreements that make room for great technologies; whether a technologist or attorney, policymaker or executive, establishing trust in digital identities isn’t a spectator sport.

Twitter: @NSTICNPO

About the author

David Temoshok

David Temoshok is currently serving as the Senior Policy Advisor for the Trusted Identities Group at the National Institute of Standards and Technology.

Prior to this David served as the Director for...

Related posts

Let’s talk about IoT device security

NIST’s Cybersecurity for the Internet of Things (IoT) Program is beginning stakeholder engagement on identifying a core set of cybersecurity capabilities

Comments

Add new comment

  • This question is for testing whether or not you are a human visitor and to prevent automated spam submissions. Image CAPTCHA
    Enter the characters shown in the image.
Please be respectful when posting comments. We will post all comments without editing as long as they are appropriate for a public, family friendly website, are on topic and do not contain profanity, personal attacks, misleading or false information/accusations or promote specific commercial products, services or organizations. Posts that violate our comment policy will not be posted.