The IMSAC guidance documents below reflect the current draft versions, which are still under review unless noted otherwise. The guidance documents have been developed by IMSAC, on behalf of the Secretary of Technology, to establish minimum specifications for Digital Identity Systems so as to warrant liability protection pursuant to the Electronic Identity Management Act ("the Act"), Chapter 50 of Title 59.1. The IMSAC guidance documents have not been adopted as Commonwealth of Virginia Information Technology Resource Management (ITRM) Policies, Standards, and Guidelines, pursuant to § 2.2-2007, and therefore are not applicable to executive branch agencies of the Commonwealth of Virginia.
IMSAC Guidance Document: 1. Digital Authentication - effective date 12/1/2017
IMSAC Guidance Document: 1.A Identity Proofing and Verification - effective date 12/1/2017
IMSAC Guidance Document 1.B Authenticators and Lifecycle Management - effective date 12/1/2017
IMSAC Guidance Document: 1.C Digital Identity Assertions - effective date 12/1/2017
IMSAC Guidance Document: 2. Identity Trust Frameworks - effective date 12/1/2017
IMSAC Guidance Document: 3. Privacy, Security and Confidentiality - IMSAC action 10/24/2017
IMSAC Guidance Document: 4. Identity Management of Non-Person Entities - IMSAC action 10/24/2017
IMSAC Guidance Document: 5. Certification of Identity Trust Framework Operators - IMSAC dedicated meeting 10/24/2017
IMSAC Guidance Document: 6. Trustmarks for Digital Identity Management - IMSAC dedicated meeting 10/24/2017
National Institute of Standards and Technology
Special Publication 800-63-3 (NIST SP 800-63-3)
Address of Record
The validated and verified location (physical or digital) where an individual can receive communications using approved mechanisms.
A subject undergoing the processes of registration and identity proofing.
A statement from a verifier to an RP that contains identity information about a subscriber. Assertions may also contain verified attributes.
The degree of confidence in the vetting process used to establish the identity of a claimant to whom a credential was, or credentials were, issued, and the degree of confidence that the claimant who uses the credential is the same as the subscriber to whom the credential was issued.
Two related keys, consisting of a public key and a private key, that are used to perform complementary operations such as encryption and decryption or signature verification and generation.
An attempt by an unauthorized entity to fool a verifier or an RP into believing that the unauthorized individual in question is the subscriber.
A party who acts with malicious intent to compromise a system.
A quality or characteristic ascribed to someone or something.
Process of determining the validity of one or more credentials used to claim a digital identity.
A defined sequence of messages between a claimant and a verifier that demonstrates that the claimant has possession and control of one or more valid authenticators to establish their identity, and, optionally, demonstrates that the claimant is communicating with the intended verifier.
Something that the claimant possesses and controls (typically a cryptographic module or password) that is used to authenticate the claimant’s identity. In previous editions of SP 800-63, this was referred to as a token.
Authenticator Assurance Level (AAL)
A category describing the authentication process proving that the claimant is in control of a given subscriber’s authenticator(s).
The secret value contained within an authenticator.
The property that data originated from their purported source.
Automated recognition of individuals based on their behavioral and biological characteristics. In this document, biometrics may be used to unlock authenticators and prevent repudiation of registration.
A subject whose identity is to be verified using one or more authentication protocols.
A declaration of unvalidated and unverified personal attributes by the applicant.
An object or data structure that authoritatively binds an identity, via an identifier or identifiers, and, optionally, additional attributes, to at least one authenticator possessed and controlled by a subscriber. While common usage often assumes that the credential is maintained by the subscriber, this document also uses the term to refer to electronic records maintained by the CSP which establish a binding between the subscriber’s authenticator(s) and identity.
Credential Service Provider (CSP)
A trusted entity that issues or registers subscriber authenticators and issues electronic credentials to subscribers. The CSP may encompass Registration Authorities (RAs) and verifiers that it operates. A CSP may be an independent third party, or may issue credentials for its own use.
A value used to control cryptographic operations, such as decryption, encryption, signature generation or signature verification. For the purposes of this document, key requirements shall meet the minimum requirements stated in Table 2 of NIST SP 800-57 Part 1. See also Asymmetric Keys, Symmetric Key.
An authenticator where the secret is a cryptographic key.
The process of establishing confidence in user identities presented digitally to a system. In previous editions of SP 800-63, this was referred to as Electronic Authentication.
An asymmetric key operation where the private key is used to digitally sign data and the public key is used to verify the signature. Digital signatures provide authenticity protection, integrity protection, and non-repudiation but not confidentiality protection.
Electronic Authentication (E-Authentication)
See Digital Authentication.
Federal Information Security Management Act (FISMA)
Title III of the E-Government Act requiring each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.
Federal Information Processing Standard (FIPS)
Under the Information Technology Management Reform Act (Public Law 104-106), the Secretary of Commerce approves standards and guidelines that are developed by the National Institute of Standards and Technology (NIST) for Federal computer systems. These standards and guidelines are issued by NIST as Federal Information Processing Standards (FIPS) for use government-wide. NIST develops FIPS when there are compelling Federal government requirements such as for security and interoperability and there are no acceptable industry standards or solutions. FIPS documents are available online through the FIPS home page: http://www.nist.gov/itl/fips.
A process that allows for the conveyance of identity and authentication information across a set of networked systems.
Federation Assurance Level
A category describing the assertion protocol utilized by the federation to communicate authentication and attribute information (if applicable) to an RP.
An attribute or set of attributes that uniquely describe a subject within a given context.
Identity Assurance Level (IAL)
A category that conveys the degree of confidence that the applicant’s claimed identity is their real identity.
The process by which a CSP and an RA collect and verify information about a person for the purpose of issuing credentials to that person.
Identity Provider (IdP)
The party that manages the subscriber’s primary authentication credentials and issues assertions derived from those credentials. This is commonly the CSP as discussed within this document suite.
A type of authenticator consisting of a character string that is intended to be memorized or memorable by the subscriber, permitting the subscriber to demonstrate something they know as part of an authentication process.
A characteristic of an authentication system or an authenticator that requires more than one authentication factor for successful authentication. MFA can be performed using a single authenticator that provides more than one factor or by a combination of authenticators that provide different factors. The three authentication factors are something you know, something you have, and something you are.
An open communications medium, typically the Internet, that is used to transport messages between the claimant and other parties. Unless otherwise stated, no assumptions are made about the security of the network; it is assumed to be open and subject to active (e.g., impersonation, man-in-the-middle, session hijacking) and passive (e.g., eavesdropping) attack at any point between the parties (e.g., claimant, verifier, CSP, RP).
See memorized secret.
Personal Identification Number (PIN)
A memorized secret typically consisting only of decimal digits.
Personally Identifiable Information (PII)
As defined by OMB Circular [A-130], Personally Identifiable Information means information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual.
The secret part of an asymmetric key pair that is used to digitally sign or decrypt data.
A meaningless but unique number that does not allow the RP to infer anything regarding the subscriber but which does permit the RP to associate multiple interactions with the subscriber’s claimed identity.
The public part of an asymmetric key pair that is used to verify signatures or encrypt data.
Public Key Certificate
A digital document issued and digitally signed by the private key of a certificate authority that binds an identifier to a subscriber to a public key. The certificate indicates that the subscriber identified in the certificate has sole control and access to the private key. See also [RFC 5280].
Public Key Infrastructure (PKI)
A set of policies, processes, server platforms, software and workstations used for the purpose of administering certificates and public-private key pairs, including the ability to issue, maintain, and revoke public key certificates.
The process through which an applicant applies to become a subscriber of a CSP and has their identity validated by the CSP.
Relying Party (RP)
An entity that relies upon the subscriber’s authenticator(s) and credentials or a verifier’s assertion of a claimant’s identity, typically to process a transaction or grant access to information or a system.
(In the context of remote authentication or remote transaction) An information exchange between network-connected devices where the information cannot be reliably protected end-to-end by a single organization’s security controls. Note: Any information exchange across the Internet is considered remote.
The process of identifying, estimating, and prioritizing risks to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, and other organizations, resulting from the operation of a system. Part of risk management, incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place. Synonymous with risk analysis.
The program and supporting processes to manage information security risk to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and includes: (i) establishing the context for risk-related activities; (ii) assessing risk; (iii) responding to risk once determined; and (iv) monitoring risk over time.
A secret used in authentication that is known to the subscriber and the verifier.
Special Publication (SP)
A type of publication issued by NIST. Specifically, the SP 800-series reports on the Information Technology Laboratory’s research, guidelines, and outreach efforts in computer security, and its collaborative activities with industry, government, and academic organizations.
A party who has received a credential or authenticator from a CSP.
A person, organization, device, hardware, network, software, or service.
A cryptographic key that is used to perform both the cryptographic operation and its inverse, for example to encrypt and decrypt, or create a message authentication code and to verify the code.
In reference to identity evidence, the quality of not being expired or revoked.
An entity that verifies the claimant’s identity by verifying the claimant’s possession and control of one or two authenticators using an authentication protocol. To do this, the verifier may also need to validate credentials that link the authenticator(s) to the subscriber’s identifier and check their status.
Commonwealth of Virginia
Electronic Identity Management Act
Chapter 50 of Title 59.1, Code of Virginia
The following terms shall have the meanings assigned in § 59.1-550, unless the context requires a different meaning:
An entity, or a supplier, employee, or agent thereof, that acts as the authoritative record of identifying information about an identity credential holder.
Commonwealth Identity Management Standards
The minimum specifications and standards that must be included in an identity trust framework so as to define liability pursuant to this chapter that are set forth in guidance documents approved by the Secretary of Technology pursuant to Chapter 4.3 (§ 2.2-436 et seq.) of Title 2.2.
Identifying information associated with an identity credential holder.
The data, or the physical object upon which the data may reside, that an identity credential holder may present to verify or authenticate his identity in a digital or online transaction.
Identity Credential Holder
A person bound to or in possession of an identity credential who has agreed to the terms and conditions of the identity provider.
A person or entity authorized to act as a representative of an identity provider in the confirmation of a potential identity credential holder's identification and identity attributes prior to issuing an identity credential to a person.
An entity, or a supplier, employee, or agent thereof, certified by an identity trust framework operator to provide identity credentials that may be used by an identity credential holder to assert his identity, or any related attributes, in a digital or online transaction. For purposes of this chapter, "identity provider" includes an attribute provider, an identity proofer, and any suppliers, employees, or agents thereof.
Identity Trust Framework
A digital identity system with established identity, security, privacy, technology, and enforcement rules and policies adhered to by certified identity providers that are members of the identity trust framework. Members of an identity trust framework include identity trust framework operators and identity providers. Relying parties may be, but are not required to be, a member of an identity trust framework in order to accept an identity credential issued by a certified identity provider to verify an identity credential holder's identity.
Identity Trust Framework Operator
The entity that (i) defines rules and policies for member parties to an identity trust framework, (ii) certifies identity providers to be members of and issue identity credentials pursuant to the identity trust framework, and (iii) evaluates participation in the identity trust framework to ensure compliance by members of the identity trust framework with its rules and policies, including the ability to request audits of participants for verification of compliance.
An individual or entity that relies on the validity of an identity credential or an associated trustmark.
A machine-readable official seal, authentication feature, certification, license, or logo that may be provided by an identity trust framework operator to certified identity providers within its identity trust framework to signify that the identity provider complies with the written rules and policies of the identity trust framework.
International Telecommunication Union
Recommendation X. 1255: Framework for Discovery of
Identity Management Information (Non-Person Entities
A relationship, if any, between two identified entities.
An entity represented as, or converted to, a machine-independent data structure consisting of one or more elements in digital form that can be parsed by different information systems; the structure helps to enable interoperability among diverse information systems in the Internet.
The act or process of seeking or locating target information, i.e., obtaining knowledge pertaining to the target
Part of a digital entity consisting of a type-value pair, where the type is represented by a resolvable persistent identifier and the value is the relevant digital information for that type.
A collection of interoperable registries that register metadata and participate in a common set of methods to share information reliably and in a commonly understood format.
A sequence of bits used to obtain state information about the digital entity being identified; typically, this is done via an appropriate resolution system.
A means by which identity management information, whether for a
user, a system resource, information or other entities, can be validated.
Identity Management Information
Identity-related information including all types of
metadata associated with identity, provenance, association and trust.
Structured information that pertains to the identity of users, systems, services, processes, resources, information or other entities.
A unique identifier that resolves to state information about a digital entity and that is resolvable for at least as long as the digital entity exists.
Information pertaining to any source of information including the party or parties involved in generating it, introducing it and/or vouching for it.
A mechanism for registering metadata about digital entities and storing metadata schemas, and which provides an ability to search the registry for persistent identifiers based on the use of the metadata schemas.
An interface that accepts deposits of digital entities, enables their retention, and provides secure access to the digital entities via their identifiers.
A system that accepts identifiers known to the system as input, and provides relevant state information about the entity being identified.
A registry within a system of federated registries that is selected to interface with a designated registry in another federation, typically for the purposes of peering.