NIST Issues Credential Revocation Guide

Credential Reliability, Revocation Model for Federated Identities
NIST Issues Credential Revocation Guide

Organizations can't easily revoke authentication credentials when they employ more than one identify provider. With multiple identity providers and unique requirements for organizations to federate them, no one approach exists to manage them.

See Also: Ransomware: The Look at Future Trends

To address this dilemma, the National Institute of Standards and Technology has issued NIST Interagency Report 7817: A Credential Reliability and Revocation Model for Federated Identities.

IR 7817 describes and classifies different types of identity providers serving federations. For each classification, the document identifies perceived improvements when the credentials are used in authentication services and recommends countermeasures to eliminate some identified gaps. With the countermeasures as the basis, the document suggests a Universal Credential Reliability and Revocation Services model that strives to improve authentication services for federations.

Here's how NIST explains the challenge:

Identity providers establish and manage their user community's digital identities. Users employ these identities, in the form of digital credentials, to authenticate service providers. The digital identity technology deployed by an identity provider for its users varies and often dictates a specific authentication solution in order for the service provider to authenticate the user.

A federated community accommodates two or more identity providers along with the specific authentication solution. With the diverse set of identity providers and the unique business requirements for organizations to federate, there is no uniform approach in the federation process. Similarly, there is no uniform method to revoke credentials or their associated attributes.

In the absence of a uniform method, IR 7817 investigates credential and attribute revocation with a particular focus on identifying missing requirements for revocation. As a by-product of the analysis and recommendations, the report suggests a model for credential reliability and revocation services that serves to address some of the missing requirements.


About the Author

Information Security Media Group

Information Security Media Group (ISMG) is the world's largest media company devoted to information security and risk management. Each of its 28 media sites provides relevant education, research and news that is specifically tailored to key vertical sectors including banking, healthcare and the public sector; geographies from the North America to Southeast Asia; and topics such as data breach prevention, cyber risk assessment and fraud. Its yearly global Summit series connects senior security professionals with industry thought leaders to find actionable solutions for pressing cybersecurity challenges.




Around the Network