Anil John | Blog

On Digital Security, Privacy, Architecture ...

Anil John

A Model for Separating Token and Attribute Manager Functions

 Tweet  Share  Email  Print

Some time ago I attended an event at which some members of the Kantara Initiative Identity Assurance Working Group presented "an approach to separating credential provision functions from identity attribute functions" (PDF). I've given this a bit of thought and, using their work as a starting point, modified it to incorporate terminology consistent with the NIST Electronic Authentication Guideline (SP 800-63-1)

As noted in the Kantara IAWG draft paper, the model shows the abstract components of the 'system' and how they interact. Where I have differed from the paper is in the use of the "Token Manager" role instead of a "Credential Manager" role, and in the use of "Token" instead of "Credential". The reason for my divergence is to maintain consistency with NIST SP 800-63-1 in its use of the terms "token" and "credential", and to avoid overloading terms:

Token: Something that the Claimant possesses and controls (typically a cryptographic module or password) that is used to authenticate the Claimant's identity. In the e-authentication context, a token contains a secret to be used in authentication processes. Tokens are possessed by a Claimant and controlled through one or more of the traditional authentication factors (something you know, have, or are).

Identity: A set of attributes that uniquely describe a person within a given context.

Credential: An object or data structure that authoritatively binds an identity (and optionally, additional attributes) to a token possessed and controlled by a Subscriber. While common usage often assumes that the credential is maintained by the Subscriber, this document also uses the term to refer to electronic records maintained by the CSP which establish a binding between the Subscriber's token and identity

In the above model, I also note the following clarification for the roles:

RoleFunctionsPurpose
Token Manager
  • Activate/Create Token
  • Issue Token to Entity
  • Authenticate Entity’s Token
Manages full lifecycle of the token including managing the entity to token binding record
Attribute Manager
(a.k.a Identity Record Manager)
  • Identify Entity
  • Validate Entity Identity
  • Verify Entity Identity
  • Register Entity
  • Provide Entity Identity Attributes
Manages the full lifecycle of electronic identity information including the record of the entity to identity record binding
Token-Identity Link Record Manager
  • Link Token(s) and Identity Record(s)
Authoritatively binds the token and identity record information together and manages the full lifecycle of that binding record
Online Services Provider
  • Enroll Entity for Services
  • Provide Services to Entity
Provides services to authorized entities
Entity
  • Possess Token(s)
  • Possess Identity Record(s)
  • Assert Identity
Receive online services

Some salient points:

  • Model does not show timing or sequence
  • An entity may possess multiple tokens and identity records
  • Binding between the token and identity record may take as input multiple tokens and/or multiple identity records
  • Model does not assign any of the roles to a real organization

A value of this model is for it to serve as a framework for discussion around the mapping of specific roles to specific entities, and what some of the potential trade-off's (business/incentive/technical) would be.

Mapping to the NIST SP 800-63-1 E-Authentication Architectural Model:

Mapping to the Canadian "anonymous credential" model implemented via their Credential Brokering Service:

Mapping to the current model implemented by the US Social Security Administration for the my Social Security Application:

Mapping to the consumer facing implementation of facebook and Google+:

More to come. Comments and feedback are appreciated.

RELATED INFO



This blog post first appeared on Anil John | Blog (http://blog.aniljohn.com). These are solely my opinions and do not represent the thoughts, intentions, plans or strategies of any third party, including my employer.

Topic:
Written by on |

Let me know what you think... Please leave a comment for me below!


FREE EMAIL UPDATES
Get exclusive benefits & content first.

I will never share your email address with anyone else. Cancel anytime.

The entries in my blog are solely my opinions and do not represent the thoughts, intentions, plans or strategies of any third party, including my employer.


Archive of all Blog Posts