-
Notifications
You must be signed in to change notification settings - Fork 8
Glossary
The glossary is where we define terms that are important to MyUSA in context of MyUSA
See also the idmanagement.gov glossary.
The government program from USPS, GSA, and NIST to provide an identity broker. The broker provides a standardized way for RPs to get credentials from CSPs. The RP does not know which CSP was chosen by the user to verify their identity, and the CSP does not know which RP is requesting the credential. In this sense, the broker is "double blind".
The Connect.Gov broker is mostly invisible to the user. It provides access to LOA1 through LOA4 credentials, including using PIV (HSPD-12) cards.
MyUSA plans to use the Connect.Gov broker to give users the choice of LOA1 providers (like Google or Yahoo). If agencies need higher levels of assurance (LOA2-4), MyUSA can be a standardized pathway and user experience to acquire those credentials via Connect.Gov.
See the Connect.Gov website.
An object or data structure that authoritatively binds an identity to a token possessed and controlled by an individual. See FICAM Trust Framework.
A CSP issues credentials for a person's verified identity. CSPs often provide the following services:
- Token Management Service
- Authentication Service
- Identity Proofing Service
- Attribute Validation Service
Otherwise known as OMB memo M04-04. This document guides agencies on authentication policies for online government services. For the services to be secure and protect privacy, some type of identity verification or authentication is needed. This document most comprehensively describes the Levels of Assurance (LOA). See LOA.
The former name for Connect.Gov. See Connect.Gov
Federal Identity, Credential, and Access Management. These are the federally approved standards for identity management, authentication, and issuing credentials. See E-Authentication.
Identity, Credential, and Access Management. Despite the intention to use this as an industry term, the only people who use "ICAM" are the federal government. An ICAM system is the IT that implements the ICAM standards, defined by FICAM in the context of the federal government's use. Generally this refers to the login system, or whatever system is used to authenticate users.
A set of attributes that uniquely describe an individual within a given context. Some information about how to uniquely identity a person by their attributes.
An organization that provides identity proofing capabilities and acts as an attribute provider for the attributes that are verified.
An identity provider is a third-party entity that verifies the identity of an individual online and issues a credential that binds their virtual presence to their physical identity. IdP is an overloaded term that is not often used anymore; instead, FICAM is using Identity Manager, Token Manager, and Credential Service Providers.
IdPs are often referred to as CSPs -- see Credential Service Providers -- because they usually provide the same functionality. IdPs are certified according to the FICAM Trust Framework, with a good overview here.
Defines the levels of trustworthiness for people using government services. It ranges from no confidence in the asserted identity’s validity (LOA1) to very high confidence in the asserted identity’s validity (LOA4)
When figuring out the level of assurance, the identity provider (IdP) or certifying agency must evaluate all of the following criteria for its impact on the person being verified:
- inconvenience, distress, or damage to standing or reputation,
- financial loss,
- harm to agency programs or public interests,
- unauthorized release of sensitive information,
- personal safety, and
- civil or criminal violations.
For the evaluation, the question is -- if someone had a credential, how much damage could they do? If it is significant damage, then the person must have a high confidence credential (eg, LOA3) so that the chance that someone is certified incorrectly at that level is low.
MyUSA login is LOA1, since no identity proofing is performed. Matched up with Connect.Gov, higher levels of assurance including LOA2 and LOA3 can be achieved through identity verification. Be sure to see OMB memo M04-04 for more information.
National Institute of Standards and Technology. NIST is the federal technology agency that works with industry to develop and apply technology, measurements, and standards. NIST generally reviews policies or guidance from OMB and Congress, then conducts research, funds prototypes, and ultimately develops standards used by both government and industry. In some respects, they're like a U.S. government version of ISO. NIST is part of the U.S. Department of Commerce.
A relying party is the organization or application that is seeking a credential for a person. These organizations rely on the IdPs to identity proof the individual, provide attributes, and certify the level of assurance. They are essentially the customer of Connect.Gov and IdPs. MyUSA is a Relying Party to Connect.Gov, and agency or MyUSA client that requires a credential is also considered a Relying Party.
Something that an individual possesses and controls that is used to authenticate the individual. Tokens are possessed by an individual and controlled through one or more of the traditional authentication factors (something you know, have, or are).
Akin to a login manager, this is an organization or service the provides a unique token for each user. This does not include any identity verification or proofing; combined with verified attributes can become a credential.
MyUSA acts as a Token Manager because it provides a unique id for every user but do not validate attributes nor assert an identity for that user.
- OpenID/OpenID Connect (I can take this one - Yoz)
- personal data store
- attribute (in context of identity provision, specifically)
- profile (in context of identity provision, specifically)