Abstract
In cyberspace, standards for the expression of the trustworthiness of identities have been developed by various parties. This trustworthiness is often referred to as entity authentication assurance, and its degree is often called LoA (levels of assurance, or assurance levels). There are two prominent LoA standards: NIST SP800-63-2 and ISO/IEC 29115:2013. LoAs are designed to express different levels of assurance. Multiple viewpoints are set in assessment, and related assessment criteria for each viewpoint are packaged into one LoA. For deployment of LoAs in enterprise business scenarios, the choice of assessment criteria in a given LoA must match the specific business requirements. We perform a field survey on business scenarios in which trust in identities is a major problem. In the survey, we focus on two key factors of assessment: identity proofing and authentication process. In addition, we observe the overall fit and gap in business scenarios. Results indicate that raising the assurance of the authentication process is effective for raising the overall assurance level. Based on the investigations performed, we repackage light weight identity proofing and LoA 2 equivalent credential management and usage into a new assurance level, LoA 1+, for the “right” cost benefit balance.
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
Horse Racing Law (in Japanese) http://law.e-gov.go.jp/htmldata/S23/S23HO158.html.
References
Akerlof, G.A.: The market for “lemons”: quality uncertainty and the market mechanism. Q. J. Econ. 84(3), 488–500 (1970)
Baldwin, A., Mont, M.C., Beres, Y., Shiu, S.: On Identity assurance in the presence of federated identity management systems. In: Proceedings of the International ACM Workshop on Digital Identity Management 2007, pp. 27–35 (2007)
Burr, W.E., Dodson, D.F., Newton, E.M., Perlner, R.A., Polk, W.T., Gupta, S., Nabbus, E.A.: Electronic Authentication Guidance. NIST SP 800–63-2 (2013)
Cabinet of Japan: Guideline for Risk Analysis, Digital Signing, and Authentication for On-line Applications and Processing (2010) (in Japanese). http://www.kantei.go.jp/jp/singi/it2/guide/guide_line/guideline100831.pdf
Coats, B., Acharya, S.: The forecast for electronic health record access: partly cloudy. In: Proceedings of the IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining, pp. 937–942 (2013)
Federal Identity, Credential, and Access Management Trust Framework Solutions: Trust Framework Provider Adoption Process (TFPAP) For All Levels of Assurance (2014). http://www.idmanagement.gov/sites/default/files/documents/FICAM_TFS_TFPAP_0.pdf
GOV.UK: Introducing GOV.UK Verify (2015). https://www.gov.uk/government/publications/introducing-govuk-verify/introducing-govuk-verify
InCommon: The inCommon Assurance Program. http://www.incommon.org/assurance/
ISO: ISO/IEC 29115:2013, Entity authentication assurance framework (2013)
ITU-T: Recommendation X.1254, Entity authentication assurance framework (2012)
Japanese Bankers Association: FY2013 Financial Statements of All Banks (2014)
Kantara: Identity Assurance. https://kantarainitiative.org/idassurance/
Noor, A.: Identity protection factor (IPF). In: Proceedings of the IDtrust 2008, pp. 8–18 (2008)
NSTIC: National Strategy for Trusted Identities in Cyberspace. http://www.nist.gov/nstic/
OASIS: Electronic Identity Credential Trust Elevation Framework V 1.0 (2014). http://docs.oasis-open.org/trust-el/trust-el-framework/v1.0/trust-el-framework-v1.0.pdf
Office of Management and Budget: M-04-04: E-Authentication Guidance for Federal Agencies (2003)
Sato, H.: N \(\pm \epsilon \): reflecting local risk assessment in LoA. In: Meersman, R., Dillon, T., Herrero, P. (eds.) OTM 2009, Part II. LNCS, vol. 5871, pp. 833–847. Springer, Heidelberg (2009)
Sato, H.: A formal model of LoA elevation in online trust. ASE Sci. J. 1(4), 166–178 (2012)
Slomovic, A.: Privacy issues in identity verification. IEEE Secur. Priv. 12, 71–73 (2014)
The General Insurance Association of Japan: Income Statement (2015) (in Japanese)
The Life Insurance Association of Japan: Life Insurance Fact Book 2014 (2014) (in Japanese)
The Ministry of Economy, Trade and Industry: 2013 Survey of Selected Service Industries (2014) (in Japanese)
The Ministry of Economy, Trade and Industry: Digital Content White Paper 2014 (2014) (in Japanese)
The Ministry of Economy, Trade and Industry: Market Research on Electronic Commerce 2015 (2015) (in Japanese). http://www.meti.go.jp/press/2015/05/20150529001/20150529001-3.pdf
The Ministry of Internal Affairs and Communications: White Paper on Information and Communications in Japan (2014) (in Japanese)
The Ministry of Internal Affairs and Communications and the Ministry of Economy, Trade and Industry: 2012 Economic Census for Business Activity (2012) (in Japanese)
The National Police Agency (2010–2015) (in Japanese). https://www.npa.go.jp/cyber/statics/h2\(\{\)2-6\(\}\),/pdf041.pdf
Third Networks Co.: JOGA Security System for On-line Games and Smartphone Games (2011) (in Japanese). http://www.jssec.org/dl/111117_4_amemiya.pdf
Thomas, I., Meinel, C.: An attribute assurance framework to define and match trust in identity attributes. In: Proceedings of the 2011 IEEE International Conference on Web Services, pp. 580–587 (2011)
Yong, J., Bertino, E.: Digital identity enrolment and assurance support for VeryIDX. In: Proceedings of the 14th International Conference on Computer Supported Cooperative Work in Design, pp. 734–739 (2010)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Hokino, M., Fujiki, Y., Onda, S., Kaneko, T., Sakimura, N., Sato, H. (2015). A Practical Trust Framework: Assurance Levels Repackaged Through Analysis of Business Scenarios and Related Risks. In: Chen, L., Matsuo, S. (eds) Security Standardisation Research. SSR 2015. Lecture Notes in Computer Science(), vol 9497. Springer, Cham. https://doi.org/10.1007/978-3-319-27152-1_11
Download citation
DOI: https://doi.org/10.1007/978-3-319-27152-1_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-27151-4
Online ISBN: 978-3-319-27152-1
eBook Packages: Computer ScienceComputer Science (R0)