August 19, 2020
By Janemarie Duh (Lafayette College), Chair, InCommon Technical Advisory Committee
InCommon has provided comments to the National Institute of Standards and Technology (NIST) on its proposed revisions to SP 800-63C Digital Identity Guidelines: Federation and Assertions. Comments were due on August 10, 2020.
The InCommon response includes comments about the context of the NIST document overall, as well as specific recommendations. The NIST document “seems to assume,” the InCommon response states, “a bilateral, consumer-to-business (C2B) relationship where an IdP [identity provider] and RP [relying party] negotiate registration and connection with one another directly…”
The comment goes on to describe the structure of a multilateral federation where hundreds or thousands of individuals are represented by an IdP in a business-to-business relationship. “We believe that the NIST digital identity standards can potentially help R&E [research and education] federations further improve trust and interoperability among participants. Given the close collaborative relationship between government and the R&E community, we certainly believe that it is imperative that any federal digital identity standards be implementable in the R&E sector.”
The InCommon response also urged NIST to consider addressing federated security incident response procedures, as addressed by the SIRTFI Trust Framework, which was developed by REFEDS, the global organization of research and education federations.
The response also addresses assertions, proxies, and other terms and definitions in 800-63C that do not take multilateral federations into account.
Thank you to the other community members who spent considerable time preparing this response:
- Tom Barton, University of Chicago and Internet2
- Matthew Economou, Research Data and Communication Technologies
- Heather Flanagan, Spherical Cow Group
- Keith Wessel, University of Illinois at Urbana-Champaign
- Albert Wu, InCommon/Internet2