Date Published: August 2016
Comments Due:
Email Questions to:
Author(s)
Paul Grassi (NIST), Ellen Nadeau (NIST), Ryan Galluzzo (Deloitte & Touche), Abhiraj Dinh (Deloitte & Touche)
Announcement
NIST invites comments on Draft NIST Internal Report (NISTIR) 8112, Attribute Metadata. This report proposes a schema intended to convey information about a subject's attribute(s) to allow for a relying party (RP) to:
- Obtain greater understanding of how the attribute and its value were obtained, determined, and vetted;
- Have greater confidence in applying appropriate authorization decisions to subjects external to the domain of a protected system or data;
- Develop more granular access control policies;
- Make more effective authorization decisions; and
- Promote federation of attributes.
The schema can be used by relying parties to enrich access control policies, as well as during runtime evaluation of an individual's ability to access protected resources. We opted to publish this document as a NISTIR in an effort to treat it as an implementers' draft, an approach common in the development lifecycle of many private sector standards and specifications. This allows the developer and policy community, in both the public and private sectors, to apply some or all of the metadata in this NISTIR on a volunteer basis, and provide us with practical feedback gained through implementation experience. As such, we will be maintaining the public issues page beyond the initial 60-day period to continually receive input and iteratively improve the document in anticipation of a second revision.
Submitting Comments
Commenters are STRONGLY encouraged to publicly collaborate with the team and other participants via the GitHub pages for NISTIR 8112. We have posted details on how to submit comments on GitHub. Additionally, we are providing a PDF for offline reading, as well as a traditional comment matrix for those that prefer this approach.
All comments, regardless of how they are provided to NIST, will be made public as a GitHub "issue."
This NIST Internal Report contains a metadata schema for attributes that may be asserted about an individual during an online transaction. The schema can be used by relying parties to enrich access control policies, as well as during runtime evaluation of an individual’s ability to access protected resources, and for an individual’s. Attribute metadata could also create the possibility for data sharing permissions and limitations on individual data elements. There are other possible applications of attribute metadata, such as evaluation and execution of business logic in decision support systems; however the metadata contained herein is focused on supporting an organization’s risk-informed authorization policies and evaluation.
This NIST Internal Report contains a metadata schema for attributes that may be asserted about an individual during an online transaction. The schema can be used by relying parties to enrich access control policies, as well as during runtime evaluation of an individual’s ability to access protected...
See full abstract
This NIST Internal Report contains a metadata schema for attributes that may be asserted about an individual during an online transaction. The schema can be used by relying parties to enrich access control policies, as well as during runtime evaluation of an individual’s ability to access protected resources, and for an individual’s. Attribute metadata could also create the possibility for data sharing permissions and limitations on individual data elements. There are other possible applications of attribute metadata, such as evaluation and execution of business logic in decision support systems; however the metadata contained herein is focused on supporting an organization’s risk-informed authorization policies and evaluation.
Hide full abstract
Keywords
assertions; attributes; attribute metadata; attribute values; attribute value metadata; authorization; federation; identity; identity federation; information security; metadata; privacy; risk; risk management; security; access control; trust
Control Families
Access Control; Identification and Authentication
