Levels of Assurance An Overview Peter Alterman Ph

Levels of Assurance: An Overview Peter Alterman, Ph. D. Chair, Federal PKI Policy Authority

Agenda • • Definitions Federal PKI LOA and Federal PKI Policies Mapping LOA in a Bridged Environment EAuthentication LOA and a word about technologies • Relationship Between FPKI LOA and EAuthentication LOA • A footnote on the E-Authentication Partnership LOA 2

Definition • Levels of Assurance of identity (LOA): the extent to which an electronic identity credential may be trusted to actually represent that the individual named in the credential is the same person engaging in the electronic transaction with the application, service or relying party. • Based upon two categories: trustworthiness of identity proofing process and trustworthiness of credential management function (includes technology and implementation/management). 3

Federal PKI • Federal Bridge CA • Common Policy Framework CA • Citizen and Commerce Class Certificate (C 4) CA • EAuthentication 1 & 2 CA 4

Federal PKI LOA: FBCA • Five LOA 1. 2. 3. 4. 5. Rudimentary Basic Medium Hardware High • Seven Policies 1. 2. 3. 4. 5. 6. Rudimentary Basic Medium-cbp Medium Hardwarecbp 7. High 5

Federal PKI LOA: Common Policy Framework • Three LOA 1. Medium 2. Medium Hardware (implied) 3. High (pending) • • • For Federal Agency Use Only After 10/2006, Medium goes away, leaving two LOA in the Common Policy Framework CP Cross-certified with FBCA at Medium, Medium Hardware (in process) and High (pending) 6

FPKI LOA: C 4 Citizen and Commerce Class Certificate • Does not map to any other LOA scheme in Federal PKI • Maps to EAuthentication Level 2 or 1, depending on identity proofing process • Temporary – 6 months or Permanent 7

FPKI LOA: EAuthentication 1 and 2 • Issues TLS certificates to Credential Service Provider servers issuing EAuthentication Levels 1 and 2 electronic identity credentials • Purpose is for mutual authentication of TLS session between agency application or EAuthentication service and Credential Service Provider to validate credentials presented during egov transactions • No mapping to FBCA 8

FPKI LOA: Policy Issues • Non-government PKIs may operate at High Assurance but FPKI will not cross-certify any non-government PKI higher than Medium Hardware/Medium Hardware-cbp – Requirement imposed to satisfy international trade policy exclusions • FPKI considers Medium and Medium-cbp equivalent • FPKI considers Medium Hardware and Medium Hardware-cbp equivalent 9

EAuthentication LOA • From OMB M-04 -04 • Four Levels – Levels 1 and 2 are assertion-based, e. g. , userid/password, etc. but may include cryptobased credentials depending on identity proofing and security implementations – Levels 3 and 4 are crypto-based, e. g. , PKI, distinguished by identity proofing and security implementations. 10

LOA Mapping: E-Auth to Fed PKI E-Auth Level 1 FPKI Rudimentary; C 4 E-Auth Level 2 FPKI Basic E-Auth Level 3 FPKI Medium & Medium-cbp E-Auth Level 4 FPKI Medium/HW & Medium/HW-cbp FPKI High (government only) 11

E-Authentication Partnership LOA • Proposed for commercial implementations operating under proposed EAP rules (pending) • Mirror US Federal EAuthentication LOA – Level 1 / Minimal Assurance – Level 2 / Moderate Assurance – Level 3 / Substantial Assurance – Level 4 / High Assurance 12

Questions? Discussion? • altermap@mail. nih. gov • www. cio. gov/fpkipa • www. cio. gov/eauthentication 13