Date Published: October 2016
Email Questions to:
Withdrawn: January 12, 2018
More and more, online service providers are struggling to find secure ways of verifying that their consumers are who they say they are while, at the same time, protecting their users' privacy. Some communities and organizations, that share common user bases and transaction types, are choosing to address these challenges by allowing their users to access multiple services through common login credentials. This approach -- known as federated identity management -- enables users to access multiple online organizations and services through shared authentication processes (instead of authenticating separately to each and every service provider).
This document provides an informational look at trust frameworks and explains what they are, what their components are, and how they relate to the concept of identity federation. In Draft NISTIR 8149, Developing Trust Frameworks to Support Identity Federations, NIST aims to educate communities that are interested in pursuing federated identity management, and provide a resource for them as they create the agreements and other components that will make up their trust frameworks. It includes guidance on determining roles in an identity federation, on what to consider from a legal standpoint, and on understanding the importance of establishing and recognizing conformance. Additionally, this document is intended to standardize the language around identity federation and trust frameworks in order to promote their widespread adoption.
Commenters are STRONGLY encouraged to publicly collaborate with the NIST team, and with other participants, via the NISTIR 8149 GitHub pages.
OR, for those of you who prefer, we have provided a PDF version of NISTIR 8149 and traditional comment matrix for your use.
All comments, regardless of how they are provided to NIST, will be made public as a GitHub "issue".
Keywords identity federation; trust frameworks; identity management; multilateral agreements; credential service providers; authentication; relying parties; secure online transactions; NSTIC; interoperability, information security; cybersecurity; identity; identity proofing
Identification and Authentication;