In the many conversations that took place in the sidebars, asides and hallways of the NSTIC Governance workshop this past Thursday and Friday, I found one, which I am calling the "Canvas Theory of Levels of Assurance (LOA)", to be particularly interesting. It goes something like this:
The current definition of Identity LOA, as defined by OMB and NIST [1], are too rigid/inflexible/yesterday/not today/[insert your preferred word here]. A model that is more [insert your opposing word choice here] is to treat a credential as a blank canvas. Over time, as the credential is used in transactions, the image of the credential holder becomes more and more clear on the canvas. And based on this visibility, the LOA of the credential can increase as more becomes known about the credential holder and their behavior. Alternatively it can also move down if the behavior or details about them are not in synch. As such LOA is something that should be dynamic, flexible and capable of real-time changes.
As a first step, it is important to be very clear about what LOA means. Paraphrasing OMB M-04-04 [2], [an] assurance level describes the [Relying Party's] degree of certainty that the user has presented an identifier (a credential in this context) that refers to his or her identity. In this context, assurance is defined as (1) the degree of confidence in the vetting process used to establish the identity of the individual to whom the credential was issued, and (2) the degree of confidence that the individual who uses the credential is the individual to whom the credential was issued. What is important to note here is that the Relying Party's degree of certainty is dependent on both the process used to establish the identity of the person before the credential is issued to them, and the confidence that the credential is indeed being used by the person to whom it has been issued.
Secondly, if the end result is the subject being granted (or denied) access to information stored at a web site or the ability to invoke a service to perform some actions on their behalf, the implementation of the vision above results in the following:
- The "canvas attributes" (for lack of a better word) are not used as part of the access control decision but is instead used to "tune" the LOA level up or down
- The access control decision is then made primarily based on the new "tuned" LOA level
- The "tuned" LOA level has no connection to the vetting process and is simply dependent of the consistency and "knowledge-over-time" behavior of the credential
- Potentially frustrating experience for the subject because the relying party, since it has little or no confidence in the asserted identity's validity, may not be able to give the subject access to the information up front
- Even more critically important, the risk of identification of the subject now resides solely with the relying party
Whenever something like this is proposed, it is always worthwhile to look at who benefits from such a model. This is a model in which the IdP has no responsibility to put in place a vetting process to establish the identity of the subject, and has no liability when it comes to the potential mis-identification of the subject. Needless to say, the entities that I see this model appealing to are large consumer IdPs who do not want to disturb their existing identity proofing processes (or lack thereof) that they have with their customers.
This approach ultimately does not move the ball forward towards an identity eco-system that allows one to conduct high value and/or privacy sensitive medical, financial and government transactions.
What I would instead propose is the "Canvas Theory of Access Control":
Given that we are moving to an era where dynamic, contextual, policy driven mechanisms are needed to make real time access control decisions at the moment of need, the policy driven nature of the decisions require that the decision making capability be externalized from systems/applications/services. In this environment, we need to treat the level of access control as a blank canvas. Over time, as a credential is used in transactions, the image of the credential holder becomes more and more clear on the canvas. And based on this visibility, combined with many other factors, the level of access can increase.
LOA should just be one of the factors that go into the decision making process and is not a "tunable" component. What becomes a "tunable" component is the level of access that is granted to the subject based on information about the subject (e.g. LOA), information about the resource, environmental/contextual information, and more, that are often expressed as attributes/claims. The contextual information here could indeed be the "canvas attributes" that evolve over time and are fed into access control decision making process. This potentially allows a subject with a LOA 1 credential, combined with compensating controls such as an externalized authorization system and a risk analytics engine that takes subject/resource/ environmental/contextual/ canvas attributes as decision input, to render a decision that could allow the subject access to more and more content on a LOA 3 web site over time. But if the subject had a LOA 2 credential to start out with, they may get immediate access to all content on the web site given that a combination of LOA 2 credential plus other factors raises the confidence level in the subject.
This approach leverages the common and accepted understanding of what LOA is, enables usage of existing infrastructure technologies, and properly apportions risk across identity providers and relying parties.
[1] See FICAM Trust Framework Provider Adoption Process (TFPAP). Appendix A for a readable table of the requirements to issue a LOA 1-4 credential
[2] http://www.whitehouse.gov/sites/default/files/omb/memoranda/fy04/m04-04.pdf