The IT Law Wiki
Explore
Main Page
All Pages
Community
Interactive Maps
Random page
TopContent
Most Visited Pages
Cell phone
RFID tag
Radio frequency spectrum
Cloud consumer
Internet
Newly Changed Pages
Computer terminal
Persuasive evidence
Website operator
Bfdi
Email bombing
Pornography
Message modification
Most Popular Pages
community
Community portal
forum
FANDOM
Fan Central
BETA
Games
Anime
Movies
TV
Video
Wikis
Explore Wikis
Community Central
Start a Wiki
Don't have an account?
Register
Sign In
Sign In
Register
The IT Law Wiki
34,539
pages
Explore
Main Page
All Pages
Community
Interactive Maps
Random page
TopContent
Most Visited Pages
Cell phone
RFID tag
Radio frequency spectrum
Cloud consumer
Internet
Newly Changed Pages
Computer terminal
Persuasive evidence
Website operator
Bfdi
Email bombing
Pornography
Message modification
Most Popular Pages
community
Community portal
forum
Editing
NIST Special Publication 800-63
(section)
Back to page
Edit
Edit source
View history
Talk (0)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
== Overview == [[Digital identity]] is the [[online]] [[persona]] of a subject, and a single definition is widely debated internationally. The term [[persona]] is apropos as a subject can represent themselves [[online]] in many ways. An individual may have a [[digital identity]] for [[email]], and another for personal finances. A personal [[laptop]] can be someone's [[streaming music]] [[server]] yet also be a [[worker-bot]] in a [[distributed network]] of [[computer]]s performing complex genome calculations. Without context, it is difficult to land on a single definition that satisfies all. [[Digital identity]] as a legal identity further complicates the definition and ability to use [[digital identities]] across a range of social and economic use cases. [[Digital identity]] is hard. Proving someone is who they say they are &mash; especially remotely, via a [[digital service]] — is fraught with opportunities for an [[attacker]] to successfully [[impersonate]] someone. As correctly captured by Peter Steiner in ''The New Yorker,'' "On the internet, nobody knows you're a dog." These [[guidelines]] provide [[mitigation]]s to the [[vulnerabilities]] inherent [[online]], while recognizing and encouraging that when [[access]]ing some low-risk [[digital service]]s, "being a dog" is just fine; while other, high-risk services need a level of confidence that the [[digital identity]] [[access]]ing the service is the legitimate [[proxy]] to the real-life subject. For these [[guidelines]], [[digital identity]] is the unique representation of a subject engaged in an [[online transaction]]. A [[digital identity]] is always unique in the context of a [[digital service]], but does not necessarily need to uniquely identify the subject in all contexts. In other words, [[access]]ing a [[digital service]] may not mean that the subject's [[real-life]] [[identity]] is known. [[Identity proofing]] establishes that a subject is who they claim to be. [[Digital authentication]] establishes that a subject attempting to [[access]] a [[digital service]] is in control of one or more valid [[authenticator]]s associated with that subject's [[digital identity]]. For services in which return visits are applicable, successfully [[authenticating]] provides reasonable risk-based assurances that the subject [[access]]ing the service today is the same as that which [[access]]ed the service previously. [[Digital identity]] presents a technical challenge because this process often involves proofing individuals over an [[open network]], and always involves the [[authentication]] of individual subjects over an [[open network]] to [[access]] [[digital]] government services. The [[process]]es and [[technologies]] to establish and use [[digital identities]] offer multiple opportunities for [[impersonation]] and other [[attack]]s. These technical [[guidelines]] supersede NIST Special Publication 800-63-2. Agencies use these [[guideline]]s as part of the [[risk assessment]] and [[implementation]] of their [[digital service]](s). These [[guideline]]s provide [[mitigation]]s of an [[authentication]] error's negative impacts by separating the individual elements of [[identity assurance]] into discrete, component parts. This set includes: * SP 800-63A Enrollment and Identity Proofing ([https://doi.org/10.6028/NIST.SP.800-63a full-text]) * SP 800-63B Authentication and Lifecycle Management ([https://doi.org/10.6028/NIST.SP.800-63b full-text]) * SP 800-63C Federation and Assertions ([https://doi.org/10.6028/NIST.SP.800-63c full-text]). [[Category:Publication]] [[Category:Security]] [[Category:2017]]
Summary:
Please note that all contributions to the The IT Law Wiki are considered to be released under the CC-BY-SA
Cancel
Editing help
(opens in new window)
Follow on IG
TikTok
Join Fan Lab