Computer Security Resource Center

Computer Security Resource Center

Computer Security
Resource Center


Attribute Metadata

Date Published: August 2016
Comments Due: September 30, 2016 (public comment period is CLOSED)
Email Questions to:

Withdrawn: January 12, 2018


Paul Grassi (NIST), Ellen Nadeau (NIST), Ryan Galluzzo (Deloitte & Touche), Abhiraj Dinh (Deloitte & Touche)


NIST invites comments on Draft NIST Internal Report (NISTIR) 8112, Attribute Metadata. This report proposes a schema intended to convey information about a subject's attribute(s) to allow for a relying party (RP) to:

  • Obtain greater understanding of how the attribute and its value were obtained, determined, and vetted;
  • Have greater confidence in applying appropriate authorization decisions to subjects external to the domain of a protected system or data;
  • Develop more granular access control policies;
  • Make more effective authorization decisions; and
  • Promote federation of attributes.

The schema can be used by relying parties to enrich access control policies, as well as during runtime evaluation of an individual's ability to access protected resources. We opted to publish this document as a NISTIR in an effort to treat it as an implementers' draft, an approach common in the development lifecycle of many private sector standards and specifications. This allows the developer and policy community, in both the public and private sectors, to apply some or all of the metadata in this NISTIR on a volunteer basis, and provide us with practical feedback gained through implementation experience. As such, we will be maintaining the public issues page beyond the initial 60-day period to continually receive input and iteratively improve the document in anticipation of a second revision.

Submitting Comments

Commenters are STRONGLY encouraged to publicly collaborate with the team and other participants via the GitHub pages for NISTIR 8112. We have posted details on how to submit comments on GitHub. Additionally, we are providing a PDF for offline reading, as well as a traditional comment matrix for those that prefer this approach. 

All comments, regardless of how they are provided to NIST, will be made public as a GitHub "issue."



assertions; attributes; attribute metadata; attribute values; attribute value metadata; authorization; federation; identity; identity federation; information security; metadata; privacy; risk; risk management; security; access control; trust
Control Families

Identification and Authentication; Access Control;