|
Work item:
|
X.te
|
|
Subject/title:
|
Trust elevation protocol
|
|
Status:
|
[Carried to next study period]
|
|
Approval process:
|
TAP
|
|
Type of work item:
|
Recommendation
|
|
Version:
|
New
|
|
Equivalent number:
|
OASIS authentication step-up protocol and metadata framework (Common)
|
|
Timing:
|
-
|
|
Liaison:
|
OASIS Trust Elevation TC
|
|
Supporting members:
|
Aetna, China Unicom, ETRI, KISA, NEC.
|
|
Summary:
|
Q10/17 developed Recommendation ITU-T X.1254 on entity authentication assurance framework. The OASIS Electronic Identity Credential Trust Elevation Methods (Trust Elevation (see https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=trust-el)) TC has built on Recommendation ITU-T X.1254 to develop an authentication step-up protocol and metadata framework to enable a client and a server to pursue adaptive step authentication strategy that is better suited in today's mobile and distributed environment.
The context for the trust elevation techniques described in this Recommendation is a closed trust system. The participants, authentication methods, communication protocols and authorization methods must be agreed upon among the participants (possibly excluding Subjects). New participants and/or methods may be introduced to the trust system using appropriate on boarding processes.
The trust system must be closed due to the lack of generally agreed-upon criteria and evaluations of an authentication method's efficacy to counter threats, mitigate impacts or reduce negative occurrence frequency, as well as local extrinsic concerns. For example, one trust system may consider a password- based authenticator to be sufficient for identification whereas another trust system may require additional fraud detection infrastructure to realize the same degree of sufficiency.
The term trust system could refer to: federated systems; systems controlled by a single governing entity; or a single system. The critical factor is the shared business rules and technologies related to authentication and authorization for performing trusted transactions.
There are several assumptions that help set the context for this work:
The resource owner has a defined set of requirements for authentication and/or authorization control. The requirements may include combinations of static rules and dynamic risk evaluations.
In the case of federated services, the federation agreement defines the available identification and authentication methods and their relationship to discrete 'levels' of assurance that map to risk mitigation or compensating controls.
Authentication methods are described sufficiently to allow creation of sets of compatible methods that cover identifiable risks or threats. For example, password authentication and hard token authentication are known to cover independent authentication factors.
|
|
Comment:
|
This new work item adopts OASIS trust elevation protocol in Q10/17.
|
|
Reference(s):
|
|
|
Historic references:
|
|
Contact(s):
|
|
| ITU-T A.5 justification(s): |
|
|
|
|
First registration in the WP:
2016-03-29 15:37:38
|
|
Last update:
2016-09-16 12:08:18
|
