Update: Liberty Identity Assurance Framework (IAF)
Liberty Alliance Schedules Four Public Interactive Webcasts to Review and Finalize Identity Assurance Framework Criteria
Consortium Releases Updated Version of the IAF as Organizations Worldwide Participate in Review and Development Process
Liberty Alliance. February 13, 2008.
Liberty Alliance, the global identity consortium working to build a more trusted internet for consumers, governments and businesses worldwide, today released the latest version of the Liberty Identity Assurance Framework (IAF). Liberty Alliance is also announcing four public webcasts, each designed to review and gather industry input into primary sections of the IAF as the Framework moves to final during 2Q of 2008. The latest version of the IAF is based on recent input from over 40 representatives from the global financial services, government, telecom, healthcare, system integrator, and technology sectors and is available for additional review and comment.
The IAF is a policy-based organizational framework being developed collaboratively within the Liberty Alliance Identity Assurance Expert Group and corresponding public special interest group to advance trusted identity federations based on standardized and certified identity assurance levels. Each with a different moderator, the public webcasts will begin on February 20, 2008 when "Common Organization Service Assessment Criteria" will be reviewed, followed by "Credential Management Service Assessment Criteria" on March 5, "Identity Proofing Service Assessment Criteria" on March 12 and "Certification/Accreditation Business Rules" on March 26, 2008. All of the webcasts begin at 8:00am US PT.
"With the launch of the interactive webcast series, the global identity community has a significant opportunity to help drive the next phase of IAF development," said Brett McDowell, executive director, Liberty Alliance. "Liberty Alliance encourages federation operators and all organizations planning to build or expand identity federations to attend the webcast events."
About the IAF and IAF Webcast Series
Based on the Electronic Authentication Partnership Trust Framework derived from the NIST Special Publication 800-63 and now enhanced and updated by the Liberty's IAEG, the IAF fills cross-industry requirements for baseline identity assurance policy standards for all public and private sector federations. The IAF defines four identity assurance levels based on a comprehensive set of process and policy criteria required to meet each level of assurance and goes on to define the standard assessment criteria, accreditation and certification rules for federating organizations to meet each of the four levels of assurance. Liberty Alliance expects to launch an identity assurance accreditation and certification program based on IAF criteria during mid-2008. Background and registration information for the four public IAF webcasts is available.
Liberty Alliance formed the Identity Assurance Expert Group (IAEG) to foster adoption of identity trust services. Utilizing initial contributions from the e-Authentication Partnership (EAP) and the US E-Authentication Federation, the IAEG's objective is to create a framework of baseline policies, business rules, and commercial terms against which identity trust services can be assessed and evaluated. The goal is to facilitate trusted identity federation to promote uniformity and interoperability amongst identity service providers. The primary deliverable of IAEG is the Liberty Identity Assurance Framework (LIAF).
The LIAF leverages the EAP Trust Framework [EAPTrustFramework] and the US E-Authentication Federation Credential Assessment Framework ([CAF]) as a baseline in forming the criteria for a harmonized, best-of-breed industry identity assurance standard. The LIAF is a framework supporting mutual acceptance, validation, and life cycle maintenance across identity federations. The main components of the LIAF are detailed discussions of Assurance Level criteria, Service and Credential Assessment Criteria, an Accreditation and Certification Model, and the associated business rules.
Assurance Levels (ALs) are the levels of trust associated with a credential as measured by the associated technology, processes, and policy and practice statements. The LIAF defers to the guidance provided by the National Institute of Standards and Technology (NIST) Special Publication 800-63 version 1.0.1 [NIST800-63] which outlines four (4) levels of assurance, ranging in confidence level from low to very high. Use of ALs is determined by the level of confidence or trust necessary to mitigate risk in the transaction.
The Service and Credential Assessment Criteria section in the LIAF will establish baseline criteria for general organizational conformity, identity proofing services, credential strength, and credential management services against which all CSPs will be evaluated. The LIAF will also establish Credential Assessment Profiles (CAPs) for each level of assurance that will be published and updated as needed to account for technological advances and preferred practice and policy updates.
The LIAF will employ a phased approach to establishing criteria for certification and accreditation, first focusing on the certification of credential service providers (CSPs) and the accreditation of those who will assess and evaluate them. The goal of this phased approach is to initially provide federations and Federation Operators with the means to certify their members for the benefit of inter-federation and streamlining the certification process for the industry. Follow-on phases will target the development of criteria for certification of federations, themselves, and a Best Practice guide for relying parties.
Finally, the LIAF will include a discussion of the business rules associated with IAEG participation, certification, and accreditation.
[Press release source]
Prepared by Robin Cover for The XML Cover Pages archive. See also "Liberty Alliance Specifications for Federated Network Identification and Authorization."