NSTIC IDESG Baseline Requirements for Security, Privacy, UX and Interop

APPROVED FMO-IDESG-Baseline-Reqts-ForBallot-v0.92-20150926 i
IDENTITY ECOSYSTEM STEERING GROUP1
IDEF Baseline Functional Requirements v1.0 withSupplemental Guidance2
26 September FMO version v0.92 for Plenary ballot (ported to editable formats 2 October)3
File name: FMO-IDESG-Baseline-Reqts-ForBallot-v0.92-201509264
NOTES: (A) The Requirements language is presented in bold face text in this document and is the5
normative form of the requirements as approved by the IDESG Plenary. IDESG may update it with6
newer versions from time to time, based on member, expert and stakeholder feedback, and welcomes7
your comments. (B) The IDESG also has approved a set of Best Practice statements, at the end of this8
set, which indicate additional advisable steps, and note matters that may become the subject of future9
Requirements. (C) These Requirements primarily are directed at identity service providers; the10
classes of service provider activity listed for each Requirement (see: "APPLIES TO ACTIVITIES") are11
based on the IDESG Functional Model v1.012
(https://www.idecosystem.org/filedepot_download/943/1423) are its specification of a provider's13
functional Core Operations Activities on pages 6-9, particularly Table 1. (D) The Supplemental14
Guidance materials and related references are provided by IDESG's committees and experts as15
additional assistive but nonnormative information. Short titles and keywords for each item also are16
included here, for ease of use, but also are not considered part of the normative text. (E) APPENDIX A17
presents a set of commonly-recurring words and concepts, along with some limited additional non-18
normative information and references to other external guidance. Appendix A likely will be replaced in19
the future by a normative IDESG Glossary. In this document, certain words are CAPITALIZED in the text20
below for ease of review and identifying recurring concepts; however, that capitalization is not part of21
the normative text; the words may be styled differently (for example, by hyperlinks) in other22
presentations of this material; and in later versions, may be changed or superseded by the eventual23
normative Glossary.24
25
26

i
Table of Contents27
SCOPE.......................................................................................................................iv28
BASELINEREQUIREMENTS..........................................................................................529
INTEROP-1. THIRD PARTYAUTHENTICATION .................................................................................................................................... 530
INTEROP-2. THIRD-PARTY CREDENTIALS.......................................................................................................................................... 631
INTEROP-3. STANDARDIZED CREDENTIALS ...................................................................................................................................... 732
INTEROP-4. STANDARDIZED DATAEXCHANGES .............................................................................................................................. 833
INTEROP-5. DOCUMENTED PROCESSES........................................................................................................................................... 934
Note: Committee has recommended that INTEROP-6 become the Best Practice tentatively designated INTEROP-BP-F.................... 1035
Note: Committee has recommended that INTEROP-7 become the Best Practice tentatively designated INTEROP-BP-G....................1136
INTEROP-6. THIRD-PARTY COMPLIANCE ......................................................................................................................................... 1237
INTEROP-7. USER REDRESS.............................................................................................................................................................. 1338
INTEROP-8. ACCOUNTABILITY ........................................................................................................................................................... 1439
PRIVACY-1. DATAMINIMIZATION ........................................................................................................................................................ 1540
PRIVACY-2. PURPOSE LIMITATION..................................................................................................................................................... 1641
PRIVACY-3. ATTRIBUTE MINIMIZATION.............................................................................................................................................. 1742
PRIVACY-4. CREDENTIAL LIMITATION ............................................................................................................................................... 1843
PRIVACY-5. DATAAGGREGATION RISK ............................................................................................................................................. 1944
PRIVACY-6. USAGE NOTICE................................................................................................................................................................ 2045
PRIVACY-7. USER DATACONTROL .................................................................................................................................................... 2146
PRIVACY-9. USER NOTICE OF CHANGES ......................................................................................................................................... 2347
PRIVACY-10. USER OPTION TO DECLINE ......................................................................................................................................... 2448
PRIVACY-11. OPTIONAL INFORMATION ............................................................................................................................................. 2549
PRIVACY-12. ANONYMITY.................................................................................................................................................................... 2650
PRIVACY-13. CONTROLS PROPORTIONATE TO RISK ..................................................................................................................... 2751
PRIVACY-14. DATARETENTION AND DISPOSAL .............................................................................................................................. 2852
PRIVACY-15. ATTRIBUTE SEGREGATION .......................................................................................................................................... 2953
SECURE-1. SECURITY PRACTICES ................................................................................................................................................... 3054
SECURE-2. DATA INTEGRITY .............................................................................................................................................................. 3155
SECURE-3. CREDENTIAL REPRODUCTION ...................................................................................................................................... 3256
SECURE-4. CREDENTIAL PROTECTION............................................................................................................................................ 3357
SECURE-5. CREDENTIAL ISSUANCE ................................................................................................................................................. 3458
SECURE-6. CREDENTIAL UNIQUENESS ........................................................................................................................................... 3559
SECURE-7. TOKEN CONTROL ............................................................................................................................................................ 3660
SECURE-8. MULTIFACTOR AUTHENTICATION.................................................................................................................................. 3761
SECURE-9. AUTHENTICATION RISKASSESSMENT ......................................................................................................................... 3862
SECURE-10. UPTIME............................................................................................................................................................................ 3963
SECURE-11. KEY MANAGEMENT ....................................................................................................................................................... 4064
SECURE-12. RECOVERYAND REISSUANCE .................................................................................................................................... 4165
SECURE-13. REVOCATION.................................................................................................................................................................. 4266
SECURE-14. SECURITY LOGS ............................................................................................................................................................ 4367
SECURE-15. SECURITYAUDITS ......................................................................................................................................................... 4468
USABLE-1. USABILITY PRACTICES .................................................................................................................................................... 4569
USABLE-2. USABILITY ASSESSMENT ................................................................................................................................................ 4670
USABLE-3. PLAIN LANGUAGE ............................................................................................................................................................ 4771
USABLE-4. NAVIGATION ...................................................................................................................................................................... 4872
USABLE-5. ACCESSIBILITY ................................................................................................................................................................. 4973
USABLE-6. USABILITY FEEDBACK ..................................................................................................................................................... 5074
USABLE-7. USER REQUIREMENTS.................................................................................................................................................... 5175
76

APPROVED FMO-IDESG-Baseline-Reqts-ForBallot-v0.92-20150926 3
BEST PRACTICES AND POTENTIAL FUTURE REQUIREMENTS ......................................5277
INTEROP-BP-A. RECOMMENDED PORTABILITY .............................................................................................................................. 5278
INTEROP-BP-B. RECOMMENDED EXCHANGE STANDARDS .......................................................................................................... 5379
INTEROP-BP-C. RECOMMENDED TAXONOMY STANDARDS.......................................................................................................... 5480
INTEROP-BP-E. RECOMMENDED MODULARITY.............................................................................................................................. 5681
INTEROP-BP-F. RECOMMENDED FEDERATION COMPLIANCE ...................................................................................................... 5782
INTEROP-BP-G. RECOMMENDED LEGAL COMPLIANCE ................................................................................................................ 5883
PRIVACY-BP-A. RECOMMENDED QUALITY CONTROLS................................................................................................................... 5984
PRIVACY-BP-B. RECOMMENDED TECHNOLOGY ENFORCEMENT ................................................................................................ 6085
PRIVACY-BP-C. RECOMMENDED CONSEQUENCES OF DECLINING ............................................................................................ 6186
USABLE-BP-A. RECOMMENDED ATTRIBUTE REQUIREMENTS QUERY ....................................................................................... 6287
APPENDIX A: Defined Terms ....................................................................................6388
INDEX OF KEYWORDS by page number.....................................................................6589
90
91

v
SCOPE92
93
The National Strategy for Trusted Identities in Cyberspace (NSTIC) envisions widespread, trusted94
identity exchanges using federated methods that are secure, interoperable, privacy-enhancing and95
easy to use. Realization of that vision will require companies, agencies and individuals to perform at a96
new level. The Requirements are our first step towards that goal, by describing a set of functions that97
parties must be able to fulfill, and a set of criteria for assessing those capabilities.98
99
The Requirements are an informed step forward in privacy, security, interoperability and usability100
based on the work of the IDESG's diverse membership of practitioners expert in their respective fields.101
102
Identity Ecosystemstakeholders can use the Requirements to identify and measure capabilities and103
services today and identify others to implement. The IDESG Framework includes guidance, listing and104
self-reporting facilities as part of the IDESG's Self-Assessment Listing Service (SALS). The SALS will105
support both informal and formal self-assessment. IDESG plans include an option to expand the106
program to third-party certification based on execution of the initial listing and IDESG’s outreach,107
activities and stakeholder input.108
109

BALLOTING DRAFT FMO-IDESG-Baseline-Reqts-ForBallot-v0.92-20150926 5
BASELINE REQUIREMENTS110
111
INTEROP-1. THIRD PARTY AUTHENTICATION112
Entities MUST be capable of accepting external USERS authenticated by THIRD-PARTIES.113
114
SUPPLEMENTAL GUIDANCE115
This Requirement applies to RELYING-PARTY consumers (i.e., entities making access control116
decisions) of a THIRD-PARTY authentication and requires such entities to be capable of accepting117
identities authenticated by multiple (i.e., more than one THIRD-PARTY), but does not require that all118
authenticated identities be accepted if their policies/business rules do not permit. RELYING-PARTIES119
that use portals, service providers, or transaction intermediaries would meet this Requirement if they120
can accept identities authenticated by THIRD-PARTIES, even if those RELYING-PARTIES do not consume121
tokens directly. (For example, RELYING-PARTIES satisfy this Requirement either by accepting and122
consuming identity assertions in nonproprietary published formats directly (such as SAML or another123
protocol to convey the authentication status), or by receiving them via an intermediate who accepts124
and consumes those assertions for them.)125
Regarding "nonproprietary published formats", see Appendix A.126
127
REFERENCES128
National Strategy for Trusted Identities in Cyberspace (2012),129
https://www.whitehouse.gov/sites/default/files/rss_viewer/NSTICstrategy_041511.pdf130
131
APPLIES TO ACTIVITIES132
AUTHORIZATION133
134
KEYWORDS135
INTERMEDIARIES, INTEROPERABILITY, THIRD-PARTIES136

INTEROP-2. THIRD-PARTY CREDENTIALS137
Entities who issue credentials or assertions MUST issue them using content and methods that are138
capable of being consumed for multiple purposes and multiple recipients.139
140
This Requirement applies to entities that issue identity credentials and/or assertions and requires142
that the credentials/assertions issued by such entities may be accepted by multiple THIRD-PARTIES143
(such as RELYING-PARTIES). This does not require that such credentials/assertions must be accepted144
by all THIRD-PARTIES; rather, the Requirement is that credentials/assertions may be accepted by145
multiple (more than one) THIRD-PARTIES. Single-purpose Identity credentials/assertions that are used146
exclusively for access to a single enterprise/online resource that are not permitted for authentication147
by any external THIRD-PARTY would not conform to this Requirement.148
This Requirement addresses the format or expression of the credential or assertion data itself and149
policies for its use, and not its method of exchange, which is addressed in INTEROP-04 (STANDARDIZED150
DATA EXCHANGES).151
152
REFERENCES153
IDESG Functional Model: https://www.idecosystem.org/filedepot_download/943/1423154
155
CREDENTIALING, AUTHENTICATION, AUTHORIZATION, INTERMEDIATION157
158
KEYWORDS159
ASSERTION, CREDENTIAL, INTEROPERABILITY, THIRD-PARTIES160

INTEROP-3. STANDARDIZED CREDENTIALS161
Entities that issue credentials or assertions MUST issue them in a format that conforms to public162
open STANDARDS listed in the IDESG Standards Registry, or if that Registry does not include feasible163
options, then to non-proprietary specifications listed in the IDESG Standards Inventory.164
165
This Requirement applies to entities that issue identity credentials or assertions and requires that167
the formats conform to IDESG approved standards and/or open standards listed in the IDESG168
Standards Inventory. The intent of this Requirement is to ensure that credentials or assertions are169
capable of being accepted by interoperable solutions. This Requirement recognizes that sufficient170
options exist today that entities should not need to use proprietary credential structures, but the171
developing IDESG Registry may not yet include references to all appropriate, useful standards or172
specifications pertaining to credential issuance.173
Regarding "nonproprietary specifications", see Appendix A.174
175
REFERENCES176
Reference for open standards: OMB Circular A-119: Federal Participation in the Development and177
Use of Voluntary Consensus Standards and in Conformity Assessment Activities,178
https://www.whitehouse.gov/omb/circulars_a119179
Reference for roles, functions, and operations, IDESG Functional Model,180
https://www.idecosystem.org/filedepot_download/943/1423181
Reference examples of published credential or assertion formats: SAML 2.0 Attribute Assertions182
with XACML 3.0, http://docs.oasis-open.org/xacml/xacml-saml-profile/v2.0/xacml-saml-profile-183
v2.0.html; Open ID Connect with Java Web Tokens (JWT), http://openid.net/developers/libraries/184
185
CREDENTIALING, AUTHENTICATION, INTERMEDIATION187
188
KEYWORDS189
ASSERTION, CREDENTIAL, INTEROPERABILITY, OPEN-STANDARDS190

INTEROP-4. STANDARDIZED DATA EXCHANGES191
Entities that conduct digital identity management functions MUST use systems and processes to192
communicate and exchange identity-related data that conform to public open STANDARDS.193
194
This Requirement is that entities must use public open STANDARDS when conducting data interface196
and exchange transactions with THIRD-PARTIES. It does not require that entities must be capable to197
use all interface STANDARDS, but must be capable of using at least one. Sufficient options exist among198
nonproprietary published methods today.199
This Requirement addresses transmission and exchange data protocols, reliable messaging, and200
database/repository/registry transactions, within which entities may offer, seek and obtain identity201
data. Please note, however, that this Requirement does not address formats or expressions for the202
identity data itself (which are addressed by INTEROP-2 (THIRD-PARTY CREDENTIALS) and INTEROP-3203
(STANDARDIZED CREDENTIALS)), nor transport or protective methods and protocols (which are204
addressed separately in the Security requirements (SECURE-1 through SECURE-15)).205
Regarding "digital identity management functions", see Appendix A.206
207
REFERENCES208
Reference for open standards: OMB Circular A-119: Federal Participation in the Development and209
Use of Voluntary Consensus Standards and in Conformity Assessment Activities,210
https://www.whitehouse.gov/omb/circulars_a119211
Reference for roles, functions, and operations, IDESG Functional Model,212
https://www.idecosystem.org/filedepot_download/943/1423213
Reference examples for interface and exchange protocols: SAML 2.0, http://docs.oasis-214
open.org/security/saml/v2.0/saml-core-2.0-os.pdf; XACML 3.0, http://docs.oasis-215
open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html; OAuth 2.0, http://tools.ietf.org/html/rfc6749.216
217
CREDENTIALING, AUTHENTICATION, INTERMEDIATION219
220
KEYWORDS221
DATA-INTERFACE, EXCHANGE,INTEROPERABILITY OPEN-STANDARDS, TRANSACTION222

INTEROP-5. DOCUMENTED PROCESSES223
Entities MUST employ documented business policies and processes in conducting their digital224
identity management functions, including internally and in transactions between entities.225
226
This Requirement is that entities shall document business policies and procedures that are228
employed for identity management functions related to the transmission, receipt, and acceptance of229
data between systems. Having documented procedures is a necessary prerequisite for transparency230
and accountability, quality control, auditability, and ease of interoperability among federated231
communities.232
However, this Requirement does not mandate adoption of any specific policies and procedures, or233
any specific systematic approaches to procedures. Rather, the entity making this assertion should234
simply affirm that it does maintain such documents in writing, and can make them available as235
described. The obligation for policies to be transparent to USERS in this context includes prospective236
users such as eligible applicants.237
239
REFERENCES240
Reference examples for requirements that entities maintain written policies and procedures241
generally: HIPAA Security and Privacy Regulations regarding development and maintenance of policies242
and procedures: 45 CFR Part 164, § 164.316(a), § 164.530(a), § 164.530(a)(1)(i), § 164.530(i) and §243
164.530(j): http://www.ecfr.gov/cgi-bin/text-idx?node=pt45.1.164&rgn=div5; Sarbanes-Oxley Sec.244
404, Assessment of Internal Controls,245
https://en.wikipedia.org/wiki/Sarbanes%E2%80%93Oxley_Act#Sarbanes.E2.80.93Oxley_Section_404:246
_Assessment_of_internal_control247
Reference example of a federation's published policies, see:248
https://www.incommon.org/policies.html249
250
REGISTRATION, CREDENTIALING, AUTHENTICATION, AUTHORIZATION, INTERMEDIATION252
253
KEYWORDS254
NOTICE, INTEROPERABILITY, POLICIES, PROCESS, TRANSACTION255

0
Note: Committee has recommended that INTEROP-6 become the Best Practice tentatively256
designated INTEROP-BP-F.257
258
259
260

1
Note: Committee has recommended that INTEROP-7 become the Best Practice tentatively261
designated INTEROP-BP-G.262
263
264
265

2
INTEROP-6. THIRD-PARTY COMPLIANCE266
Entities that act as THIRD-PARTY service providers for another entity, in conducting digital identity267
management functions, must comply with each of the applicable IDESG Baseline Requirements that268
apply to that otherentity and those relevant functions.269
270
This Requirement applies to outsourcing or delegation of digital identity management functions or272
transactions to THIRD-PARTIES. An entity assessing its compliance with the applicable IDESG Baseline273
Requirements must also apply them to the functions or transactions carried out on its behalf by a274
service provider. For purposes of this Requirement, the term "THIRD-PARTY service provider" refers275
to THIRD-PARTIES that an assessed entity outsources or delegates to perform digital identity276
management functions on behalf of the assessed entity.277
In some FEDERATIONS, the federation itself may also act as a service provider for participant entities278
in some identity management functions, and thereby be subject to this Requirement.279
Cloud computing service providers providing data storage or other services for an entity may also be280
within the scope of this Requirement, depending on the functions performed on behalf of the281
assessed entity, and the provider's access to the data handled on behalf of the assessed entity. See282
comments about "data storage companies" in the Modifications to the HIPAA Privacy, Security,283
Enforcement, and Breach Notification Rules Under the HITECH Act (2013), Final Rule comments on284
HITECH Act Section 13408: http://federalregister.gov/a/2013-01073285
287
REFERENCES288
Reference for cloud computing processors of personal information: ISO/IEC 27018 (2014): Code of289
practice for protection of personally identifiable information (PII) in public clouds acting as PII290
processors. http://www.iso.org/iso/catalogue_detail.htm?csnumber=61498, and291
https://www.iso.org/obp/ui/#iso:std:iso-iec:27018:ed-1:v1:en292
Reference example of intermediaries and similar subcontractors or service agencies who fulfill data293
transactions for others, and take responsibility for their compliance with various requirements: see294
"Business Associate" regulations in the HIPAA Privacy Regulations: 45 CFR Parts 160 and 164,295
§§ 160.103, 164.502(a)(3), (a)(4) and (e); and the treatment of "Clearinghouse" functions in296
§ 164.500(b): http://www.ecfr.gov/cgi-bin/text-idx?node=pt45.1.164&rgn=div5297
298
301
KEYWORDS302
COMPLIANCE, INTEROPERABILITY, INTERMEDIARIES, TRANSACTION, THIRD-PARTIES303

3
INTEROP-7. USER REDRESS304
Entities MUST provide effective mechanisms for redress of complaints or problems arising from305
identity transactions or the, failure of the entity to comply with the IDESG Baseline Requirements.306
These mechanisms MUST be easy for USERS to find and access.307
"Effective"inthisRequirementmeansthatuse of the redress mechanismwill resultinatimelycorrectionof309
errors,resolutionof the dispute orcomplaint,andthe processshall notbe overlyburdensome orcomplex.310
Resolutionof disputesshall be conductedinafairand consistentmanner. Where feasible,further311
mechanismsforUSERSto seek redress canbe institutedthroughthe use of internal orindependentTHIRD-312
PARTYservices(i.e.ombudsmen,etc.)313
Entitiesmustprovide toUSERSthe source of any verificationorinformationthatleadstoaneligibility,314
authenticationorauthorization decision. If USERSseek redress,theymustbe providedwithamechanismto315
dispute orchange erroneousinformationatthe source of the information.316
If credentialingisdeniedora credentialisrevokedfromaUSER,justificationforthatdecisionshouldbe317
presentedalongwiththe source of anyinformationthatcontributedtothatdecision.318
Note: Intermediariesmaynothave adirectrelationshipwithUSERSwhomove throughtheirsystems,but319
shouldfacilitate endpoints'abilitytoconformtothisrequirement. See the IDESGFunctional Model for320
definitionof “TransactionIntermediation,”,whichdescribesitas“Processesandproceduresthat limitlinkages321
transactionsandfacilitate credential portability.” This includesfunctionsdefinedas“Blinding”,322
“Pseudonymization/Anonymization,”and“Exchange”.323
Entities shouldprovide amechanismforredressandinclude the abilitytocorrect or otherwise addressany324
issuesUSERS mayhave.325
Pathwaysforredressshouldbe clearandavailable tothe userthroughoutthe process.326
A redressmechanismshouldbe consideredmust-see-this-firstinformationinafirstencounterandthen327
providedasappropriate tothe USERin a consistentmannerthereafter.328
Please note thatINTEROP-5(DOCUMENTEDPROCESSES) appliestothisRequirement. Regarding"redress",329
see alsoAppendix A.330
331
REFERENCES332
ConsultUSABLE-4(NAVIGATION) supplemental guidanceforadditional considerations thatapplytoredress.333
Consultthe UXC Resourcespage locatedhere forexamples:334
https://www.idecosystem.org/wiki/UXC_resources335
336
APPLIESTOACTIVITIES337
REGISTRATION,CREDENTIALING338
339
KEYWORDS340
ACCOUNTABILITY, COMPLIANCE,INTEROPERABILITY,POLICIES,REDRESS,RISK341

4
INTEROP-8. ACCOUNTABILITY342
Entities MUST be accountable for conformance to the IDESG Baseline Requirements, by providing343
mechanisms for auditing, validation, and verification.344
345
By the term ”mechanism” it is intended there is a means to support a determination of compliance347
with these Requirements. This means may be through documented policy, audit, direct observation,348
or other means to support a determination of compliance. This Requirement does not intend that the349
means is provided publicly, just that it is available to the service provider for the determination of350
compliance and may be examined independently when appropriate.351
352
REFERENCES353
Reference for “accountability” requirements: ISO/IEC 29100 (2011) Privacy Framework, Section354
5.10 Accountability, http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html355
356
359
KEYWORDS360
AUDIT, COMPLIANCE, INTEROPERABILITY, POLICIES, VALIDATION361

5
PRIVACY-1. DATA MINIMIZATION362
Entities MUST limit the collection, use, transmission and storage of personal information to the363
minimum necessary to fulfill that transaction’s purpose and related legal requirements. Entities364
providing claims or attributes MUST NOT provide any more personal information than what is365
requested. Where feasible, IDENTITY-PROVIDERS MUST provide technical mechanisms to366
accommodate information requests of variable granularity, to support data minimization.367
368
Regarding "personal information," see Appendix A.370
This Requirement is intended to apply to each transaction or data exchange in which personal371
information is collected, generated, used, transmitted or stored. Groups of related transactions may372
share a common purpose and legal requirements; but each data exchange is subject to the373
minimization mandate. [Entities are encouraged to address this issue by design, before run time, by374
limiting or applying controls or filters to classes of data.]375
The boundaries of a TRANSACTION between a service provider and a user are defined by the376
purpose of the collection, generation, use, transmission, or storage of their personal information. SEE377
PRIVACY-2 (PURPOSE LIMITATION).378
379
REFERENCES380
Further reference materials and to aid organizations interested in conforming to these381
Requirements can be found at https://www.idecosystem.org/wiki/Supplemental_Privacy_Guidance.382
383
386
KEYWORDS387
LIMITATION, MINIMIZATION, PRIVACY, PURPOSE388

6
PRIVACY-2. PURPOSELIMITATION389
Entities MUST limit the use of personal information that is collected, used, transmitted, or stored to390
the specified purposes of that transaction. Persistent records of contracts, assurances, consent, or391
legal authority MUST be established by entities collecting, generating, using, transmitting, or storing392
personal information, so that the information, consistently is used in the same manner originally393
specified and permitted.394
395
Regarding "personal information", see Appendix A. Entities should also assure that their data397
controls reliably apply these limitations to their future actions.398
See also Requirement PRIVACY-1 (DATA MINIMIZATION) on the application of limitations to, and399
scope of, individual transactions and data exchanges.400
Please note the applicability of best practice INTEROP-BP-G (RECOMMENDED LEGAL COMPLIANCE)401
regarding limitations imposed by laws. Please note the applicability of best practice [INTEROP-BP-F402
(RECOMMENDED FEDERATION COMPLIANCE) and Requirement INTEROP-6 (THIRD-PARTY403
COMPLIANCE) regarding limitations arising from the involvement of THIRD-PARTIES such as404
intermediaries, similar service providers, or FEDERATIONS.405
See the IDESG Functional Model for definition of Transaction Intermediation for the scope of406
“intermediaries.” The functional model describes Transaction Intermediation as “Processes and407
procedures that limit linkages between transactions and facilitate credential portability. This includes408
functions defined as “Blinding,” “Psuedonymization/Anonymization,” and “Exchange.”409
410
REFERENCES411
414
417
KEYWORDS418
LIMITATION, PRIVACY, PURPOSE419

7
PRIVACY-3. ATTRIBUTE MINIMIZATION420
Entities requesting attributes MUST evaluate the need to collect specific attributes in a transaction,421
as opposed to claims regarding those attributes. Wherever feasible, entities MUST collect,422
generate, use, transmit, and store claims about USERS ratherthan attributes. Wherever feasible,423
attributes MUST be transmitted as claims, and transmitted credentials and identities MUST be424
bound to claims instead of actual attribute values.425
426
Where feasible, Identity Providers (and any other entities releasing attributes) should provide the428
opportunity for attributes to be released as claims as well as detailed attributes; see also PRIVACY-1429
(DATA MINIMIZATION) on granularity of requests to support data minimization by requesters,430
generally.431
Attribute providers may be required by their own business processes to collect and store, although432
not necessarily transmit, attributes in their attribute form, in which case significant alteration or433
filtering may be required when that data is re-used or transmitted to others.434
435
REFERENCES436
439
442
KEYWORDS443
ATTRIBUTE, IDENTIFIER, LIMITATION, MINIMIZATION, PRIVACY444

8
PRIVACY-4. CREDENTIAL LIMITATION445
Entities MUST NOT request USERS’ credentials unless necessary for the transaction and then only as446
appropriate tothe risk associated with the transaction or to the risks to the parties associated with447
the transaction.448
449
Intermediaries may not have a direct relationship with individuals who move through their systems,451
but should facilitate endpoints' ability to conform to this Requirement.452
See Requirements PRIVACY-1 (DATA MINIMIZATION) and PRIVACY-2 (PURPOSE LIMITATION) on the457
application of limitations to, and scope of, individual transactions and data exchanges.458
459
REFERENCES460
463
466
KEYWORDS467
CREDENTIAL, IDENTIFIER, LIMITATION, PRIVACY, PURPOSE, RISK468

9
PRIVACY-5. DATA AGGREGATIONRISK469
Entities MUST assess the privacy risk of aggregating personal information, in systems and processes470
where it is collected, generated, used, transmitted, or stored, and wherever feasible, MUST design471
and operate their systems and processes to minimize that risk. Entities MUST assess and limit472
linkages of personal information across multiple transactions without the USER's explicit consent.473
474
Regarding "personal information", see Appendix A, and PRIVACY-1 (DATA MINIMIZATION).476
Collection of personal information from repeated data transactions, which can be associated to477
form a larger body of knowledge about individuals, may increase their privacy risk. For example: An478
Identity Provider’s ability to facilitate transactions between a user and multiple relying parties may479
give the Identity Provider privileged insights into the users’ behavior. Such information is the result of480
the Identity Provider’s ability to link user interactions across transactions.481
“Users’ explicit consent” alone should not be used to mitigate privacy risks created by technical482
architecture or design, such as to mitigate risks that individuals could not be reasonably expected to483
be able to assess.484
See also Requirements PRIVACY-1 (DATA MINIMIZATION) and PRIVACY-2 (PURPOSE LIMITATION) on485
the application of limitations to, and scope of, individual transactions and data exchanges.486
487
REFERENCES488
491
494
KEYWORDS495
AGGREGATION, CONSENT, DESIGN, LIMITATION, PRIVACY, RISK496

0
PRIVACY-6. USAGENOTICE497
Entities MUST provide concise, meaningful, and timely communication to USERS describing how498
they collect, generate, use, transmit, and store personal information.499
500
Regarding "personal information", see Appendix A, and see PRIVACY-1 (DATA MINIMIZATION).502
The goal of notice is to work toward informed consent from USERS: functional requirements should503
work toward strategies for improving USERS' understanding of their choices when engaging with504
services. Strategies include layered approaches, just-in-time notice, and other examples that can505
illustrate effective types of notice mechanism alternatives to privacy policies. In the case of material506
changes to the service, entities shall provide clear and conspicuous descriptions of the changes and507
their impacts on USERS in advance of the change.508
“Consent” alone should not be used to mitigate privacy risks created by technical architecture or509
design, such as to mitigate risks that individuals could not be reasonably expected to be able to assess;510
see PRIVACY-5 (DATA AGGREGATION RISK).511
See also Requirements PRIVACY-1 (DATA MINIMIZATION) and PRIVACY-2 (PURPOSE LIMITATION) on512
the application of limitations to, and scope of, individual transactions and data exchanges.513
See also the IDESG Usability Requirements (USABLE-1 through USABLE-7) regarding the clarity of514
notices given to USERS and others.515
516
REFERENCES517
520
523
KEYWORDS524
NOTICE, POLICIES, PRIVACY525

1
PRIVACY-7. USER DATA CONTROL526
Entities MUST provide appropriate mechanisms to enable USERS to access, correct, and delete527
personal information.528
529
Regarding "personal information," see Appendix A, and PRIVACY-1 (DATA MINIMIZATION) and531
INTEROP-7 (USER REDRESS).532
“Appropriate” broadly means mechanisms for management of personal information should be533
effective, easy to use, and accessible. (See USABLE-1 (USABILITY PRACTICES), USABLE-3 (PLAIN534
LANGUAGE), and USABLE-5 (ACCESSIBILITY) for guidance on the usability of such mechanisms.)535
"Deletion” generally refers to removal of the data from availability. Data disposal, its complete536
removal from the complying entity's own systems and control, may depend on the legal and537
contractual requirements applicable to the data; see PRIVACY-14 (DATA RETENTION AND DISPOSAL).538
Note: Intermediaries may not have direct control over the information that flows through their539
systems, but should deploy mechanisms that support endpoints' ability to conform to this540
Requirement. See INTEROP-6 (THIRD-PARTY COMPLIANCE).541
546
REFERENCES547
550
553
KEYWORDS554
CHANGES, CHOICE, CONTROL, CORRECTION, PRIVACY, RETENTION555

2
PRIVACY-8. THIRD-PARTY LIMITATIONS556
Wherever USERS make choices regarding the treatment of their personal information, those choices557
MUST be communicated effectively by that entity to any THIRD-PARTIES towhich it transmits the558
personal information.559
560
Regarding "personal information, " seer Appendix A and PRIVACY-1 (DATA MINIMIZATION).562
One example of a USER's choice that creates a use limitation would be their election to restrict the563
use of their personal information to specific purposes only. This Requirement broadly means that564
entities convey all such restrictions to the "downstream" recipients of personal information, when565
they share that information. However, this Requirement does not dictate what elective choices a566
USER should be prompted to make; and it does not require an entity to convey (or enforce) a USER's567
choices or instructions if those choices contradict law, regulation or legal process.568
Please note, Requirement INTEROP-6] (THIRD-PARTY COMPLIANCE) also includes certain specific569
duties in connection with THIRD-PARTIES receiving personal information from an entity.570
Responsibilities for liability should be spelled out in agreements between organizations exchanging571
personal information in the identity ecosystem, as well as the format and style of the communication572
of user-stated privacy preferences and information.573
574
REFERENCES575
578
581
KEYWORDS582
CHOICE, LIMITATION, NOTICE, PORTABILITY, PRIVACY, THIRD-PARTIES583

3
PRIVACY-9. USER NOTICEOF CHANGES584
Entities MUST, upon any material changes to a service or process that affects the prior or ongoing585
collection, generation, use, transmission, or storage of USERS’ personal information, notify those586
USERS, and provide them with compensating controls designed to mitigate privacy risks that may587
arise from those changes, which may include seeking express affirmative consent of USERS in588
accordance with relevant law or regulation.589
590
Once USERS have been notified of the planned uses and processing of their personal information592
(see PRIVACY 6 (USAGE NOTICE)), and exercised whatever consent, limitation or withdrawal rights593
they have (see PRIVACY-7 (USER DATA CONTROL)), material changes to those uses or processing may594
render their choices obsolete, so entities should refresh the USER's opportunity to exercise those595
controls in light of the new information. (See USABLE-4 (NAVIGATION), USABLE-5 (ACCESSIBILITY) and596
USABLE-6 (USABILITY FEEDBACK).)597
Regarding "personal information," see Appendix A and PRIVACY-1 (DATA MINIMIZATION).598
“Express affirmative consent” should not be used to mitigate privacy risks created by technical599
architecture or design, or to mitigate risks that individuals could not be reasonably expected to be600
able to assess; see PRIVACY-5 (DATA AGGREGATION RISK).601
“Compensating controls” are controls or mechanisms, which may operate either by policy or602
(preferably) technology, designed to mitigate privacy risks that may arise when a material change is603
made to the system. Examples might include an opportunity to assent or withdraw, or risk-shifting604
rules occurring upon a change. Those controls can be under user administration, but only if the user605
can be reasonably expected to understand how to use those mechanisms to effectively mitigate their606
risk.607
608
REFERENCES609
612
615
KEYWORDS616
CHANGES, CONSENT, NOTICE, PRIVACY, PURPOSE617

4
PRIVACY-10. USER OPTION TO DECLINE618
USERS MUST have the opportunity to decline registration; decline credential provisioning; decline619
the presentation of their credentials; and decline release of their attributes or claims.620
621
Although an entity's digital identity management functions and transactions should provide an624
opportunity to the USER to decline to provide personal information or consent to its use, that decision625
may appropriately result in the partial or complete failure of the entity's intended transaction. (See626
USABLE-4 (NAVIGATION), USABLE-5 (ACCESSIBILITY) and USABLE-6 (USABILITY FEEDBACK).)627
628
REFERENCES629
632
REGISTRATION, CREDENTIALING, AUTHENTICATION, AUTHORIZATION634
635
KEYWORDS636
CHOICE, CONSENT, PRIVACY637

5
PRIVACY-11. OPTIONAL INFORMATION638
Entities MUST clearly indicate toUSERS what personal information is mandatory and what639
information is optional priorto the transaction.640
641
Regarding "personal information," see Appendix A, and PRIVACY-1 (DATA MINIMIZATION).643
See also the IDESG Usability Requirements (USABLE-1 through USABLE-7) regarding the clarity of644
notices given to USERS and others.645
Additional best practices for indicating optionality are provided in PRIVACY-BP-C (RECOMMENDED646
CONSEQUENCES OF DECLINING) below.647
It may be appropriate to have a "don't ask me again" check box for a series of transactions of the648
same type.649
For example: If personal information is requested from USERS during registration that is beyond the650
minimum necessary to complete an eligibility decision, that personal information should be clearly651
marked as optional.652
Regarding "mandatory" and "optional", in this Requirement, if personal information is requested653
from USERS during registration that is beyond the minimum necessary to complete an eligibility654
decision, that personal information should be clearly marked as optional. That optional designation655
should include a short and clear description justifying the request of that data.656
If an organization requests to release attributes values during a transaction that are the beyond the657
minimum necessary to complete that transaction, that release should be clearly presented as658
optional/a choice. That optional designation should include a short and clear description justifying659
the release of that data.660
If information or attribute value release is designated as mandatory, that designation should include661
a short and clear description of the consequences of declining to provide that information or allowing662
that release. See PRIVACY-10 (USER OPTION TO DECLINE).663
664
REFERENCES665
668
REGISTRATION, AUTHORIZATION670
671
KEYWORDS672
CHOICE, LIMITATION, NOTICE, PRIVACY673

6
PRIVACY-12. ANONYMITY674
Wherever feasible, entities MUST utilize identity systems and processes that enable transactions675
that are anonymous, anonymous with validated attributes, pseudonymous, or where appropriate,676
uniquely identified. Where applicable to such transactions, entities employing service providers or677
intermediaries MUST mitigate the risk of those THIRD-PARTIES collecting USER personal678
information. Organizations MUST request individuals’ credentials only when necessary for the679
transaction and then only as appropriate to the risk associated with the transaction or only as680
appropriate tothe risks to the parties associated with the transaction.681
682
In support of legal, policy or personal requirements for anonymous or pseudonymous USER684
participation, digital identity management functions and systems should permit anonymous and685
(persistent across sessions) pseudonymous registration and participation, where required by law or686
otherwise feasible. To further facilitate that goal, identifiers and personal data (including attributes)687
should be kept separate wherever feasible: see PRIVACY-4 (CREDENTIAL LIMITATION) and PRIVACY-15688
(ATTRIBUTE SEGREGATION).689
See INTEROP-6 (THIRD-PARTY COMPLIANCE) on the mitigation of risks associated with third-party690
service providers or data users.691
See PRIVACY-5 (DATA AGGREGATION RISK) regarding the risk of collecting additional information.692
See PRIVACY-13 (CONTROLS PROPORTIONATE TO RISK) regarding the implementation of controls to693
mitigate identified privacy risk.694
See PRIVACY-11 (OPTIONAL INFORMATION) regarding availability of user choices regarding optional695
disclosure of personal information.696
697
REFERENCES698
701
704
KEYWORDS705
ACCOUNT, ANONYMITY, CHOICE, IDENTIFIER, PRIVACY706

7
PRIVACY-13. CONTROLS PROPORTIONATETO RISK707
Controls on the processing or use of USERS' personal information MUST be commensurate with the708
degree of risk of that processing or use. A privacy risk analysis MUST be conducted by entities who709
conduct digital identity management functions, to establish what risks those functions pose to710
USERS' privacy.711
712
Regarding “personal information,” See Appendix A and PRIVACY-1 (DATA MINIMIZATION).714
Regarding “digital identity management functions” see Appendix A.715
Many risk analysis models include examples or guidance about the implementation of controls that716
are appropriate to either specific risks or levels of existing risk. Entities may satisfy this Requirement717
by confirming that they have conducted that risk assessment and, based on that assessment, made718
appropriate adjustments to their practices.719
720
REFERENCES721
724
727
KEYWORDS728
ASSESSMENT, CONTROLS, LIMITATION, POLICIES, PRIVACY, RISK729

8
PRIVACY-14. DATA RETENTION AND DISPOSAL730
Entities MUST limit the retention of personal information to the time necessary forproviding and731
administering the functions and services to USERS for which the information was collected, except732
as otherwise required by law or regulation. When no longer needed, personal information MUST733
be securely disposed of in a manner aligning with appropriate industry standards and/or legal734
requirements.735
Retention requirements arising from "law, regulation or legal process" may include litigation-related737
legal holds, and requirements arising from mandatory audits.738
“Functions” refer to the functions listed in the IDESG Functional Model; see supplemental guidance740
in PRIVACY-13 (CONTROLS PROPORTIONATE TO RISK).741
742
REFERENCES743
746
749
KEYWORDS750
LIMITATION, PRIVACY, PURPOSE, RETENTION751

9
PRIVACY-15. ATTRIBUTE SEGREGATION752
Wherever feasible, identifier dataMUST be segregated from attribute data.753
754
This recommendation is intended to apply to identity data while used and stored internally by an756
entity, as well as when collected from or transmitted to another. These goals may be most easily757
accomplished when identity management systems are being designed or renovated.758
Regarding “identifiers,” see Appendix A.759
760
REFERENCES761
764
REGISTRATION, CREDENTIALING, AUTHORIZATION766
767
KEYWORDS768
ARCHITECTURE, ATTRIBUTE, IDENTIFIER, PRIVACY, PROCESS769

0
SECURE-1. SECURITY PRACTICES770
Entities MUST apply appropriate and industry-accepted information security STANDARDS,771
guidelines, and practices to the systems that support their identity functions and services.772
773
Entities may satisfy this Requirement by confirming that they (a) have considered existing775
information security standards, guidelines and practices relevant to their environment; (b) have776
identified the specific sources of guidance that are appropriate for their operations, in light of the777
information security risks they face; and (c) have implemented the portions of that guidance they778
deemed appropriate.779
This Requirement does not mandate which information security policies, procedures or780
technologies an entity should or must use. However, some specific policies and technologies are the781
subject of other, more specific items elsewhere in this Requirements set.782
Entities must have risk-based countermeasures and safeguards in place to resist common threats to783
identity solutions and identity data, including, for example, Session hijacking; Eavesdropping; Theft;784
Man-in-the-middle; Online Guessing; Replay; Unauthorized copying or duplication; and Insider785
Threats.786
The security standards, guidelines, and practices employed in digital identity management services,787
to govern the security of their networks, devices, solutions, and systems, must be both operational788
and well documented. Please note the applicability of Requirement INTEROP-5 (DOCUMENTED789
PROCESSES) regarding documentation and best practice INTEROP-BP-G (RECOMMENDED LEGAL790
COMPLIANCE) regarding limitations imposed by laws. Please note the applicability of best practice791
INTEROP-BP-F (RECOMMENDED FEDERATION COMPLIANCE) and Requirement INTEROP-6 (THIRD-792
PARTY COMPLIANCE) regarding limitations arising from the involvement of THIRD-PARTIES such as793
intermediaries, similar service providers, or FEDERATIONS.794
795
REFERENCES796
Potential candidates for adoption include: ISO/IEC 27000 series, PCI-DSS, NIST SP 800-53-4, CSA797
CCM, COBIT v5, FFIEC (multiple documents), PCI-DSS, NISTIR 7621 R1 (draft)798
799
802
KEYWORDS803
POLICIES, RISK, SECURITY, OPEN-STANDARDS804

1
SECURE-2. DATA INTEGRITY805
Entities MUST implement industry-accepted practices to protect the confidentiality and integrity of806
identity data - including authentication data and attribute values - during the execution of all digital807
identity management functions, and across the entire data lifecycle (collection through808
destruction).809
810
The execution of all identity transactions and functions must make use of transport that offers812
confidentiality and integrity protection (e.g., properly configured TLS).813
Where operations and functions are executed by separate organizations, secure transport814
mechanisms and business processes must be used to preserve the confidentiality and integrity of815
identity data being transmitted to and stored by service providers.816
Authentication data (e.g., passwords and passphrases) must be properly protected through industry817
accepted cryptographic techniques (e.g., salted and hashed).818
Sensitive data collected during identity transactions must be protected at all times using industry819
accepted practices for encryption and data protection.820
Appropriate access control measures must be in place to ensure access to identity data is restricted821
to only authorized users with a need to know. Appropriate access control measures including822
multifactor authentication must be in place to ensure that access to identity data by data custodians is823
restricted to users responsible for administering and maintaining the data. See SECURE-8824
(MULTIFACTOR AUTHENTICATION). All access to identity data must be securely logged and separation825
of duties should be considered as a means to further limit access. See SECURE-14 (SECURITY LOGS).826
Please note, the IDESG Privacy Requirements (PRIVACY-1 through PRIVACY-15) also impose separate827
requirements on the handling and storage of identifiers attributes and credentials.828
829
REFERENCES830
FICAM TFPAP Trust Criteria, LOA 1-3, Multiple Sections, PCI-DSS (actually Requirement 7 & 8 – pages831
61-72), ISO 27002 (2005) Sec. 11, FFIEC, Wholesale Payment SystemBooklet832
(http://ithandbook.ffiec.gov/ITBooklets/FFIEC_ITBooklet_WholesalePaymentSystems.pdf)833
834
837
KEYWORDS838
ATTRIBUTE, DATA-INTEGRITY, SECURITY839

2
SECURE-3. CREDENTIAL REPRODUCTION840
Entities that issue or manage credentials and tokens MUST implement industry-accepted processes841
to protect against theirunauthorized disclosure and reproduction.842
843
Potential controls that can be put in place to prevent unauthorized disclosure and reproduction845
include: The use of secure transport for credential and token data (see SECURE-2 (DATA INTEGRITY));846
Implementation of industry accepted cryptographic techniques for the storage of credential and token847
data (see SECURE-2 (DATA INTEGRITY)); Implementation of industry accepted key management and848
protection techniques (see SECURE-11 (KEY MANAGEMENT)); Out-of-band distribution of credentials849
or tokens; In-person issuance of credentials or tokens; and Anti-tampering and/or counterfeiting850
mechanism for tokens with a physical instantiation851
852
REFERENCES853
FICAM TFPAP Trust Criteria, Registration and Issuance, LOA 2-3, #3 (p.21, 37)854
855
CREDENTIALING857
858
KEYWORDS859
CREDENTIAL, DUPLICATION, DATA-INTEGRITY, PROCESS, SECURITY, TOKEN860

3
SECURE-4. CREDENTIAL PROTECTION861
Entities that issue or manage credentials and tokens MUST implement industry-accepted data862
integrity practices to enable individuals and otherentities to verify the source of credential and863
token data.864
865
When providing token and credential information to users, steps must be taken to allow users to867
authenticate the source of the information. This can include digital signing of credential information,868
providing secure transport mechanisms for the information (e.g., properly configured TLS), or869
delivering the information out of band (e.g., traditional mail or SMS).870
871
REFERENCES872
874
CREDENTIALING876
877
KEYWORDS878
CREDENTIAL, DATA-INTEGRITY, SECURITY, TOKEN879

4
SECURE-5. CREDENTIAL ISSUANCE880
Entities that issue or manage credentials and tokens MUST do so in a manner designed to assure881
that they are granted to the appropriate and intended USER(s) only. Where registration and882
credential issuance are executed by separate entities, procedures for ensuring accurate exchange of883
registration and issuance information that are commensurate with the stated assurance level MUST884
be included in business agreements and operating policies.885
886
Procedures exist to ensure the user(s) who receives the credential and associated tokens is the888
same user(s) who participated in registration. These can include: The use of secure transport for889
credential and token data (see SECURE-2 (DATA INTEGRITY)); Out-of-band distribution of credentials890
or tokens; In-person issuance of credentials or tokens.891
Attribute verification (i.e., identity proofing) done during registration must be robust enough to892
provide sufficient confidence in the identity to support the intended use(s) of the credential.893
Subsequent attribute verification (i.e., proofing) must be executed in a manner consistent with894
intended use of the attributes.895
896
REFERENCES897
899
CREDENTIALING901
902
KEYWORDS903
CREDENTIAL, DATA-INTEGRITY, PROCESS, PROVISIONING, SECURITY, TOKEN904

5
SECURE-6. CREDENTIAL UNIQUENESS905
Entities that issue or manage credentials MUST ensure that each account to credential pairing is906
uniquely identifiable within its namespace for authentication purposes.907
908
A unique identifier must be assigned to each pairing of associated account and credential. This is to910
be used for the purposes of binding registration information with credentials in order to facilitate911
authentication and to avoid collisions of identifiers in the namespace.912
913
REFERENCES914
FICAM TFPAP Trust Criteria, Security, LOA 1-3, #1 (p.19), ISO 27002 (2005) Section 11 (Access915
Control), FFIEC, PCI-DSS 8.1, http://pcidsscompliance.net/pci-dss-requirements/how-to-comply-to-916
requirement-8-of-pci-dss/917
918
CREDENTIALING, AUTHENTICATION920
921
KEYWORDS922
CREDENTIAL, IDENTIFIER, PROVISIONING, SECURITY923

6
SECURE-7. TOKEN CONTROL924
Entities that authenticate a USER MUST employ industry-accepted secure authentication protocols925
to demonstrate the USER's control of a valid token.926
927
Successful authentication requires that the user prove, through a secure authentication protocol,929
that he or she controls the appropriate token(s). Control is best demonstrated by a user providing930
token value through the authentication protocol (e.g., password, PIN, or biometric).931
932
REFERENCES933
FICAM TFPAP Trust Criteria, Authentication Process, LOA 2, #6 (p.21)934
935
AUTHENTICATION937
938
KEYWORDS939
CONTROLS, IDENTIFIER, PROVISIONING, SECURITY, TOKEN940

7
SECURE-8. MULTIFACTORAUTHENTICATION941
Entities that authenticate a USER MUST offer authentication mechanisms which augment or are942
alternatives to a password.943
944
Entities must offer users an authentication mechanism other than single-factor authentication946
based on a password as a shared secret. Examples include (but are not limited to): “something-you-947
have” (e.g., computing device, USB token, mobile phone, key fob, etc.) or “something-you-are” (e.g.,948
biometric), or a combination of these. The additional or alternative mechanism(s) must ensure the949
binding and integration necessary for use as an authentication mechanism. See SECURE-9950
(AUTHENTICATION RISK ASSESSMENT) and its Supplemental Guidance for more information about951
choosing risk appropriate authentication mechanisms.952
953
REFERENCES954
NIST SP 800-63-2955
956
AUTHENTICATION958
959
KEYWORDS960
AUTHENTICATION, MULTIFACTOR, SECURITY, TOKEN961

8
SECURE-9. AUTHENTICATION RISKASSESSMENT962
Entities MUST have a risk assessment process in place for the selection of authentication963
mechanisms and supporting processes.964
965
Entities relying on authentication mechanisms must have a process in place for assessing the risks967
associated with providing access to their systems, applications, and/or network(s) and must leverage968
this to inform decisions on the selection of authentication mechanisms and supporting identity969
services.970
Additional controls (e.g., geolocation or device identification) may be used. The party granting971
access may also request additional verified attributes to support authorization decisions where972
required by risk or business needs.973
974
REFERENCES975
NIST SP 800-63976
977
AUTHORIZATION979
980
KEYWORDS981
ASSESSMENT, AUTHENTICATION, RISK, SECURITY982

9
SECURE-10. UPTIME983
Entities that provide and conduct digital identity management functions MUST have established984
policies and processes in place to maintain theirstated assurances for availability of theirservices.985
986
At a minimum, service providers should have documented policies and processes to address disaster988
recovery, continuity of business, and denial of service prevention/recovery. See INTEROP-5989
(DOCUMENTED PROCESSES).990
991
REFERENCES992
FFIEC-Business Continuity Planning, Retail Payment System Handbook, and Wholesale Payment993
System Handbook, E-Banking Handbook, https://www.ffiec.gov/; “IT Handbooks”, at994
http://ithandbook.ffiec.gov/it-booklets.aspx; ISO 20000-1 (2011) (Part 1: Service management system995
requirements) and -2 (2012) (Part 2: Guidance on the application of service management systems)996
1.6.3.1 & 1.6.3.2, ISO 27002 (2005)- Section 14.1; CSA CCM,997
https://cloudsecurityalliance.org/download/cloud-controls-matrix-v3-0-1/ , NIST 800-53-4, Continuity998
Planning, Incident Response; COBIT V5 DSS04 “Manage Continuity”999
1000
1003
KEYWORDS1004
PROCESS, SECURITY, UPTIME1005

0
SECURE-11. KEY MANAGEMENT1006
Entities that use cryptographic solutions as part of identity management MUST implement key1007
management policies and processes that are consistent with industry-accepted practices.1008
1009
To support the security and interoperability of cryptographic solutions, organizations must follow1011
best practices and standards for cryptographic algorithms and key management including the1012
generation, protection, distribution, and recovery of keys.1013
1014
REFERENCES1015
NIST 800-57 (3-parts – Key Management- http://dx.doi.org/10.6028/NIST.SP.800-57pt3r1,1016
http://csrc.nist.gov/publications/nistpubs/800-57/SP800-57-Part2.pdf,1017
http://dx.doi.org/10.6028/NIST.SP.800-57pt3r1; , ISO/IEC 27002 - 12.3.1; PCI-DSS- 3.6.1-3.6.8 ; (see1018
table of requirements at page 18+); FFIEC - Information Security1019
http://ithandbook.ffiec.gov/ITBooklets/FFIEC_ITBooklet_InformationSecurity.pdf, see 5.1.2.3(a), 5.3,1020
5.3.2, 2.1.2, 2.11; Wholesale Payment Systems Booklet,1021
http://ithandbook.ffiec.gov/ITBooklets/FFIEC_ITBooklet_WholesalePaymentSystems.pdf1022
1023
1026
KEYWORDS1027
PKI, POLICIES, SECURITY1028

1
SECURE-12. RECOVERY AND REISSUANCE1029
Entities that issue credentials and tokens MUST implement methods for reissuance, updating, and1030
recovery of credentials and tokens that preserve the security and assurance of the original1031
registration and credentialing operations.1032
1033
Procedures must be in place to reasonably prevent hijacking of an account through recovery and1035
reset options: a common vector for identity thieves and other attackers. At a minimum, service1036
providers must provide reset, recovery, and reissuance procedures that afford a commensurate level1037
of security to the processes used during the initial registration and credentialing operations. These1038
procedures may include out-of-band verification, device identification, or any combination of similar1039
techniques used to increase the security of reset, reissuance, and recovery options while also meeting1040
IDESG Usability Requirements (USABLE-1 through USABLE-7).1041
1042
REFERENCES1043
FICAM TFPAP Trust Criteria “Token & Credential Management”), LOA 2-3, #1, #2, #4, TFPAP Trust1044
Criteria, Management and Trust Criteria, LOA 2-3, #3,#4, #6 (p.35); PCI-DSS v 2.0- 8.5.2 (p. 48)1045
(corresponds to 8.2.2 in PCI-DSS v3. – p.67); NIST SP 800-63, Token and Credential Management1046
Activities 7.1.2 (p. 58)1047
1048
REGISTRATION, CREDENTIALING1050
1051
KEYWORDS1052
ACCOUNT, CREDENTIAL, EXPIRY, LOSS, PROCESS, PROVISIONING, RECOVERY, SECURITY, TOKEN1053

2
SECURE-13. REVOCATION1054
Entities that issue credentials or tokens MUST have processes and procedures in place to invalidate1055
credentials and tokens.1056
1057
Service Providers must be capable of revoking, deactivating, or otherwise invalidating credentials or1059
tokens. Invalidated credentials include those that have expired, have been determined to be1060
compromised, or have been canceled by either the issuing entity or user.1061
Timeliness of revocation and deactivation may be dictated by regulation, environment, or trust1062
frameworks.1063
1064
REFERENCES1065
FICAM TFPAP Trust Criteria, Token & Credential Management, LOA 2-3, #4 (p.32)1066
1067
REGISTRATION, CREDENTIALING1069
1070
KEYWORDS1071
CREDENTIAL, EXPIRY, LOSS, PROCESS, REVOCATION, SECURITY, TOKEN1072

3
SECURE-14. SECURITY LOGS1073
Entities conducting digital identity management functions MUST log their transactions and security1074
events, in a manner that supports system audits and, where necessary, security investigations and1075
regulatory requirements. Timestamp synchronization and detail of logs MUST be appropriate to the1076
level of risk associated with the environment and transactions.1077
1078
Transactions and events associated with systems that support identity management functions must1080
be time-stamped and logged. Where necessary additional information related to the events also must1081
be logged (such as the source of an authentication assertion) with the data needed to support audits.1082
Selection of logging and timestamping standards, processes, and procedures should be consistent1083
with the processes outlined in SECURE-1 (SECURITY PRACTICES).1084
Audit records and logs must be protected consistent with SECURE-2 (DATA INTEGRITY).1085
1086
REFERENCES1087
As an example: HIPAA Security Regulations regarding development and maintenance of logging1088
procedures and records: 45 CFR Part 164, § 164.308(a)(1)(ii)(D), § 164.408(c):1089
http://www.ecfr.gov/cgi-bin/text-idx?node=pt45.1.164&rgn=div51090
1091
1094
KEYWORDS1095
AUDIT, LOGS, PROCESS, SECURITY1096

4
SECURE-15. SECURITY AUDITS1097
Entities MUST conduct regular audits of their compliance with theirown information security1098
policies and procedures, and any additional requirements of law, including a review of their logs,1099
incident reports and credentialloss occurrences, and MUST periodically review the effectiveness of1100
their policies and procedures in light of that data.1101
1102
Both internal and third-party audits are considered acceptable for conformance to this1104
Requirement. This Requirement does not dictate frequency of audits. However, the processes,1105
policies, procedures for conducting audits, and audit findings, as well as those for defining the1106
frequency of audits, must be documented. Additionally, a process for remediating and correcting1107
deficiencies identified during audits must also be documented.1108
1109
REFERENCES1110
As an example: HIPAA Security Regulations regarding auditable controls and periodic review of1111
logs: 45 CFR Part 164, § 164.308(a)(1)(ii)(D), § 164.312(b): http://www.ecfr.gov/cgi-bin/text-1112
idx?node=pt45.1.164&rgn=div51113
1114
1117
KEYWORDS1118
AUDIT, LOGS, POLICIES, PROCESS, SECURITY1119

5
USABLE-1. USABILITY PRACTICES1120
Entities conducting digital identity management functions MUST apply user-centricdesign, and1121
industry-accepted appropriate usability guidelines and practices, to the communications, interfaces,1122
policies, data transactions, and end-to-end processes they offer, and remediate significant defects1123
identified by their usability assessment.1124
1125
The term "user-centric" design is a key tenet and requirement of the IDESG founding document: the1127
National Strategy for Trusted Identities in Cyberspace (NSTIC) dated April 15, 2011. This term is1128
further described in Appendix A and is a common term in the User Experience domain.1129
1130
REFERENCES1131
Consult the UXC Resources page located here for examples of non-normative UX practices:1132
https://www.idecosystem.org/wiki/UXC_resources.1133
Consult the UXC Dictionary page located here for examples of UXC definitions of terms in these1134
requirements and supplemental guidelines, in addition to those provided in Appendix A to this1135
document: https://www.idecosystem.org/wiki/UXC_Dictionary.1136
1137
1140
KEYWORDS1141
ASSESSMENT, DESIGN, REMEDIATION, USABILITY1142

6
USABLE-2. USABILITY ASSESSMENT1143
Entities MUST assess the usability of the communications, interfaces, policies, data transactions,1144
and end-to-end processes they conduct in digital identity management functions.1145
1146
Entities may satisfy this Requirement by confirming that they have conducted a usability assessment1148
of their digital identity management functions. Other Requirements and best practices in this set1149
address their duty to mitigate issues identified in that assessment.1150
1151
REFERENCES1152
Consult the UXC Guidelines and Metrics page:1153
https://www.idecosystem.org/wiki/User_Experience_Guidelines_Metrics1154
1155
1158
KEYWORDS1159
ASSESSMENT, USABILITY1160

7
USABLE-3. PLAIN LANGUAGE1161
Information presented toUSERS in digital identity management functions MUST be in plain1162
language that is clear and easy for a general audience or the transaction's identified target audience1163
to understand.1164
1165
Instructions for use of the systemshould be visible or easily retrievable whenever appropriate.1167
Help and documentation information should be easy to search, focused on the users' task, listing1168
concrete steps to be carried out, and be concise.1169
Platform conventions for words, actions, and situations are consistent across the platform.1170
Example: users should not have to wonder whether different words, situations, or actions mean the1171
same thing across the platform.1172
The systemshould speak the users' language, following real-world conventions and making1173
information appear in a natural and logical order. Example: Systems should use words or phrases and1174
graphics or icons familiar to the user rather than system-oriented terms. Example: although the1175
phrase "privacy enhancing technology" is widely in use in industry, research suggests that "privacy1176
protection" is more readily understood and used by real users.1177
Error messages should be expressed in plain language, without codes, clearly indicating the problem1178
and constructively suggesting a solution.1179
The user’s identity status on a systemshould be clear to the user. Example: It should be clear to the1180
user whether their identity is anonymous, pseudonymous or verified.1181
Any change in identity status should be presented in clear language to the user. Example: If a1182
process requires a user to switch to a verified identity from a more anonymous state, the user should1183
be clearly prompted to change their identity status.1184
Descriptions of states of identity (verified, anonymous, pseudonymous) should be linked to clear,1185
easy to read, understandable and concise definitions.1186
If standard definitions are available, they should be used.1187
The design of the website should eliminate information that is irrelevant or rarely needed.1188
Layout and look/feel/branding, in addition to language, should also eliminate information that is1189
rarely needed.1190
1191
REFERENCES1192
None.1193
1194
1197
KEYWORDS1198
CHOICE, CLARITY, LANGUAGE, OPTIONS, USABILITY1199

8
USABLE-4. NAVIGATION1200
All choices, pathways, interfaces, and offerings provided toUSERS in digital identity management1201
functions MUST be clearly identifiable by the USER.1202
1203
Systemsshouldprovide clearandeasy touse pathwaystohelpusersrecognize,diagnose,andrecoverfrom1205
user-made errors.1206
The informationneededbythe usertounderstandanychoice shouldbe clearlyvisible inasingle,visible1207
window. Dialoguesshouldnotcontaininformationthatisirrelevantorrarelyneeded.1208
To mitigate the riskof errors,systemsshouldallow the userthe optiontocancel,skipordecline,before they1209
committo a pathwayactionaswell asprovide aconfirmationnoticeaftertheycommit.1210
If an entitydecidesanactionisrequired,andauserchoosestoskipor decline thisaction,the entity'ssystem1211
shouldstate clearlytothe userif the transactionwill notbe completedandpresentapathwayforredress.1212
If a useraccepts,skipsor declinesanoption, the entity'ssystemshouldstate clearlytothe userthe1213
transactionwasor wasnot completed.1214
An entity'ssystemsshouldallow usersthe choice toproceedanonymously,pseudonymouslyorwithany1215
chosen/ assignedidentitywhereappropriate.1216
An entity'ssystemsshouldallow the user choice andclearoptionsforchangingthe statusof theiridentity.1217
For example: switchingtoanonymousbrowsing.1218
Informationusersneedtomake decisionsshouldbe readilyavailable andtransparenttothe user.1219
The identityof the entityandentity'ssystemswithwhichthe userisinteractingshouldbe clearlyvisibleand1220
understandable tousersatall times. Thisincludesthirdpartiesandchangesbetweenentitiesandusersduring1221
sessions.1222
Whena newuserchoosesanidentityprovider,the availableoptionsshouldbe clearlypresentedsothata1223
usercan make an informeddecision. Whenanew uservisitsarelyingpartysite,the usershouldbe presented1224
withinformationaboutthe requestforidentityproofing,verificationorattributesand the typesof identity1225
providersorframeworksthatare acceptable.1226
Clearpathwaysshouldexistforuserstoprocure desiredservices.1227
The usershouldbe presentedwithpathwaystothe identityservicestheydesire,suchas: privacyoptions,1228
identitycaching,etc.1229
Organizationsshouldoperate inamannerthatallowsindividualstoeasilyswitchserviceprovidersif the1230
organizationfailstomeetuserexpectations,becomesinsolvent,isincapable of adhering topolicies,orrevises1231
theirtermsof service. See alsoINTEROP-BP-A (RECOMMENDEDPORTABILITY).1232
1233
REFERENCES1234
None.1235
1236
APPLIESTOACTIVITIES1237
REGISTRATION,CREDENTIALING,AUTHENTICATION,AUTHORIZATION,INTERMEDIATION1238
1239
KEYWORDS1240
CHOICE,CLARITY, CONTROLS,CORRECTION,DESIGN,OPTIONS,USABILITY1241

9
USABLE-5. ACCESSIBILITY1242
All digital identity management functions MUST make reasonable accommodations to be accessible1243
to as many USERS as is feasible, and MUST comply with all applicable laws and regulations on1244
accessibility.1245
1246
Entities should review all accessibility standards and apply what they deem feasible to their sites1248
based upon their legal and regulatory environment.1249
All entities, when feasible, should provide equivalent access to and use of information and systems1250
to users with disabilities that is comparable to the use and access by those who are users without1251
disabilities.1252
All sites should provide all feasible functionality to any user with a compatible internet connected1253
device as those available to individuals without disabilities.1254
User with disabilities should have access to documentation tailored to their needs, as is feasible.1255
User-Centered Design that accounts for accessibility issues should be used whenever possible.1256
The specific requirements applicable to particular vertical industries (health, finance, etc.) should1257
also be reviewed and applied when relevant.1258
1259
REFERENCES1260
Some existing relevant standards and regulations include:1261
Section 508 contains information about accessibility: https://www.section508.gov/1262
For example, see ISO 9241 (2010) "Human-centred design processes for interactive systems" and1263
ISO/IEC 40500 (2012) Information technology — W3C Web Content Accessibility Guidelines (WCAG)1264
2.01265
Consult the UXC Resources page located here for examples of non-normative UX practices:1266
https://www.idecosystem.org/wiki/User_Experience_Guidelines_Metrics1267
1268
1271
KEYWORDS1272
ACCESSIBLE, ACCOMMODATION, DESIGN, USABILITY1273

0
USABLE-6. USABILITY FEEDBACK1274
All communications, interfaces, policies, data transactions, and end-to-end processes provided in1275
digital identity management functions MUST offer a mechanism to easily collect USERS' feedback1276
on usability.1277
1278
All websites should provide a mechanism to gather feedback from users on site usability, adjusting1280
the site design in response when appropriate.1281
Users should be provided equitable choices where possible around the mechanisms they can use to1282
express their feedback to entities. Parameters, risks and benefits for those choices should be clear to1283
the user.1284
1285
REFERENCES1286
Additional information on collecting USER feedback can be found in our UXC Guidelines and1287
Metrics page: https://www.idecosystem.org/wiki/User_Experience_Guidelines_Metrics1288
1289
1292
KEYWORDS1293
ASSESSMENT, DESIGN, FEEDBACK, USABILITY1294

1
USABLE-7. USER REQUIREMENTS1295
Wherever public open STANDARDS or legal requirements exist for collecting user requests, entities1296
conducting digital identity management functions MUST offer structured opportunities for USERS to1297
document and express these requests, early in theirinteractions with those functions. Entities1298
MUST provide a response to those user requests on a reasonably timely basis.1299
1300
Any entity "collecting personal data," whether they are first or third parties, would mean that the1302
entity is interacting with USERS directly and therefore should provide a response to user requests1303
early on in the interaction or collection. Website USER do-not-track requests are an example of a1304
USER request. An example of a site that handles responses to Do Not Track (DNT) requests in this1305
manner is Medium.com which sends a single popup to new users, whether or not they are registered,1306
about how they will handle the DNT request.1307
As a general principle, consent choices or other similar must-see-this-first information should be1308
exchanged in a first encounter, and then honored in and presented in a consistent manner thereafter.1309
Suggested ways for User Experience mitigation includes using pop-up boxes or email responses to1310
user requests. Links to information regarding additional use should provide adequate time for users1311
to read the information presented to them.1312
The entity gathering requests should state whether identity information is being used, and the user1313
must be notified.1314
Please note that the IDESG Privacy Requirements apply to these interactions and the data they1315
generate.1316
1317
REFERENCES1318
More information about Do Not Track can be found at these links:1319
FTC website on Do Not Track: https://www.ftc.gov/news-events/media-resources/protecting-1320
consumer-privacy/do-not-track1321
Do Not Track standard work at the W3C: http://www.w3.org/2011/tracking-protection/1322
1323
1326
KEYWORDS1327
ACCESSIBLE, ACCOMMODATION, ACCOUNT, CHOICE, CONSENT, FEEDBACK, OPEN-STANDARDS,1328
USABILITY1329

2
BEST PRACTICES AND POTENTIAL FUTURE REQUIREMENTS1330
1331
INTEROP-BP-A. RECOMMENDED PORTABILITY1332
Entities SHOULD utilize services and systems that allow for identity account portability; specifically:1333
(a) IDENTITY-PROVIDERS SHOULD provide an easy to use method to allow to switch to a new1334
provider(s).1335
(b) IDENTITY-PROVIDERS SHOULD provide departing USERS a mechanism to link their RELYING-PARTY1336
accounts with their new provider(s).1337
(c) RELYING-PARTIES SHOULD provide USERS with a mechanism to associate multiple credentials to a1338
single account.1339
(d) RELYING-PARTIES SHOULD provide USERS with a mechanism to have a single account per1340
credential.1341
(e) IDENTITY-PROVIDERS SHOULD utilize services and systems that allow for affordable identity1342
account portability.1343
(f) Wherever feasible, IDENTITY-PROVIDERS SHOULD provide USERS with a mechanism for1344
portability of their privacy and other USER preferences.1345
1346
1347
The term "account portability" means the ability for a USER to move to a different service provider1349
to provide registration, credentialing and authentication services, and authorize the transfer of1350
account information from an original service provider to the chosen provider. Portable identity data1351
should include the following types of information: registration information, credentials, preferences,1352
and associated accounts.1353
1354
REGISTRATION, CREDENTIALING, AUTHENTICATION1356
1357
KEYWORDS1358
ACCOUNT, CHOICE, INTEROPERABILITY, PORTABILITY, USABILITY1359

3
INTEROP-BP-B. RECOMMENDED EXCHANGESTANDARDS1360
Entities that conduct digital identity management functions SHOULD utilize systems and processes to1361
communicate and exchange identity-related data that conform to public open STANDARDS listed in the1362
IDESG Standards Registry, or if that Registry does not include feasible options, then to nonproprietary1363
specifications listed in the IDESG Standards Inventory.1364
1365
This best practice adds, to the requirement of INTEROP-4, the recommendation that the public open1367
STANDARDS used for these data interface and exchange functions be selected from the IDESG1368
Standards Registry or IDESG Standards Inventory. Please note the additional recommendations for1369
use of formal models, at a higher level of abstraction, in INTEROP-BP-D.1370
1371
1374
KEYWORDS1375
ATTRIBUTE, INTEROPERABILITY, OPEN-STANDARDS, PROCESS, TRANSACTION1376

4
INTEROP-BP-C. RECOMMENDED TAXONOMY STANDARDS1377
Entities SHOULD utilize stable, published common taxonomies to enable semantic interoperability of1378
attributes, and SHOULD use public open STANDARDS for those taxonomies when operating within1379
communities where such STANDARDS have been established.1380
1381
Most taxonomies are used within a specific community of interest, such as the InCommon1383
community for federated higher education identity transactions. See, for example, the published set1384
at: http://www.incommon.org/federation/attributesummary.html That example provides detailed1385
definitions and usage notes for the attributes most commonly shared within that community, and a1386
more formal definition model at:1387
https://www.internet2.edu/media/medialibrary/2013/09/04/internet2-mace-dir-eduperson-1388
201203.html.1389
1390
1393
KEYWORDS1394
ASSERTION, ATTRIBUTE, INTEROPERABILITY, OPEN-STANDARDS1395
1396

5
INTEROP-BP-D. RECOMMENDED PROCESS MODELS1397
Entities SHOULD employ stable, published common formal models and business processes for digital1398
identity management functions, and SHOULD use public open STANDARDS for those models and1399
processes where such STANDARDS have been established and are appropriate for those functions.1400
1401
This best practice recommends the adoption of standardized, modeled processes for digital identity1403
management functions, so that participants in an identity ecosystem(including USERS, IDENTITY-1404
PROVIDERS, AND RELYING-PARTIES) can have reasonable and common understanding of identity1405
exchanges being conducted among communities of interest and identity federations. This best practice1406
and potential future requirement anticipates the standardization of these functions and processes,1407
eventually through standard development organizations and adoption by the IDESG.1408
Please note, this recommendation INTEROP-BP-D seeks adoption of formal models and formally1409
defined business processes, in contrast to the use of on-the-wire data exchange standards1410
recommended in INTEROP-BP-B. For more on the distinctions among business process layers, data1411
structure layers (in the "business operational view") and data exchange methods and formats (in the1412
"functional service view"), see ISO/IEC 14661 (2010).1413
1414
1417
KEYWORDS1418
ARCHITECTURE, INTEROPERABILITY, OPEN-STANDARDS, PROCESS, TRANSACTION1419

6
INTEROP-BP-E. RECOMMENDED MODULARITY1420
Entities SHOULD implement modular identity components in their digital identity management1421
functions.1422
1423
This best practice is for IDENTITY-PROVIDERS to offer modular identity solutions for the services1425
and functions they perform relating to digital identity management. "Modular identity solutions" are1426
services that can be used by USERS, RELYING-PARTIES and other participants either individually, or in1427
combination with other modular services from the same or different providers, in order to provide1428
choices and efficiencies in meeting their needs. Often such services are designed and offered around1429
single function, and with STANDARDS-based interfaces that allow them to be composed with other1430
purchased services or the purchaser's own systems.1431
On the concept of service modularity and composition generally, see: A Practical Guide to Federal1432
Service Oriented Architecture (Federal CIO Council, 2008), at page 16: https://cio.gov/wp-1433
content/uploads/downloads/2013/03/PGFSOA_v1-1.pdf, and OASIS SOA Reference Model (2006):1434
http://docs.oasis-open.org/soa-rm/v1.0/soa-rm.html1435
1436
1439
KEYWORDS1440
ARCHITECTURE, DESIGN, INTEROPERABILITY, OPEN-STANDARDS1441
1442

7
INTEROP-BP-F. RECOMMENDED FEDERATIONCOMPLIANCE1443
When conducting digital identity management functions within an identity FEDERATION, entities1444
SHOULD comply in all substantial respects with the published policies and systemrules that explicitly1445
required by that FEDERATION, according to the minimum criteria set by that FEDERATION.1446
1447
This best practice applies to entities that participate in a structured identity federation with1449
published policies and systemrules that apply to all participants in the federation. Entities are1450
responsible for assessing and monitoring their own compliance with federation or systemrules, except1451
in cases where those rules provide for additional measures. This best practice only recommends that1452
an entity confirm that they are in substantial compliance in all respects with the rules of the1453
federation when operating within that federation.1454
1456
REFERENCES1457
References for Federation policies and rules: InCommon Bronze/Silver Identity Assurance profile,1458
https://www.incommon.org/docs/assurance/IAP.pdf; Kantara Identity Assurance Framework,1459
https://kantarainitiative.org/confluence/display/certification/Identity+Assurance+Accreditation+and+1460
Approval+Program; FICAM Trust Framework Provider Adoption Process,1461
http://www.idmanagement.gov/documents/trust-framework-provider-adoption-process-tfpap-all-1462
levels-assurance1463
1464
1467
KEYWORDS1468
COMPLIANCE, FEDERATION, INTEROPERABILITY, POLICIES1469
1470

8
INTEROP-BP-G. RECOMMENDED LEGAL COMPLIANCE1471
When conducting digital identity management functions, entities SHOULD comply in all substantial1472
respects with all laws and regulations applicable to those relevant functions.1473
1474
This best practice applies to digital identity management functions for entities that operate in a1476
regulated industry or perform online transactions subject to specific statutory/regulatory1477
requirements such as HIPAA and COPPA. Such regulated entities are responsible for determining1478
themselves the laws and regulations that apply to their activities, but this best practice applies only to1479
those laws and regulations that address identity management functions. This best practice only1480
recommends that entities have assessed and confirm that they have made that determination, and1481
are in compliance. Entities who conduct identity transactions with them simply ought to be able to1482
rely on the assumption that their counterparty is operating in accordance with applicable laws.1483
Absence of findings from examiners or other reviewers are an indication of compliance.1484
1485
REFERENCES1486
Some entities, and different classes of digital identity management transactions, may be subject to1487
specialized or additional obligations by operation of law or regulation. Reference examples include:1488
Know Your Customer Requirements, USA Patriot Act sec. 326; Health Insurance Portability and1489
Accountability Act (HIPAA) regulations for certain healthcare personal and payment information; and1490
Children's Online Privacy Protection Act (COPPA) for entities whose transactions are governed by its1491
requirements.1492
1493
1496
KEYWORDS1497
COMPLIANCE, INTEROPERABILITY, REGULATION1498

9
PRIVACY-BP-A. RECOMMENDED QUALITY CONTROLS1499
Entities SHOULD determine the necessary quality of personal information used in their digital identity1500
management functions based on the risk of those functions and the information, including risk to the1501
USERS involved.1502
1503
Entities obtaining personal information about a USER may have multiple ways to obtain the1505
necessary data, or to assure its quality (generally, its accuracy, detail, timeliness or authoritative1506
source). Some of those choices may be less invasive, or create less risk of USER privacy loss, than1507
others. Additionally, some may result in higher- or lower-quality accuracy of the data. Entities SHOULD1508
consider the effects of these choices on the USER whose personal information is being collected and1509
used.1510
In the absence of formal data quality standards, entities SHOULD consider the timeliness,1511
completeness, accuracy, and sources of data when evaluating the quality of personal information.1512
These goals may be most easily implemented in systemdesign, when identity management systems1513
are being designed or renovated.1514
1516
1519
KEYWORDS1520
ARCHITECTURE, DATA-INTEGRITY, LIMITATION, RISK1521

0
PRIVACY-BP-B. RECOMMENDED TECHNOLOGY ENFORCEMENT1522
Wherever feasible, privacy requirements and policies SHOULD be implemented through technical1523
mechanisms. Those technical privacy controls SHOULD be situated as low in the technology stack as1524
possible.1525
1526
Privacy controls are mechanisms that mitigate privacy risk. These may overlap with security1528
controls.1529
1530
1533
KEYWORDS1534
ARCHITECTURE, POLICIES, PROCESS1535

1
PRIVACY-BP-C. RECOMMENDED CONSEQUENCES OF DECLINING1536
Entities SHOULD provide short, clear notice to USERS of the consequences of declining to provide1537
mandatory and optional personal information.1538
1539
This recommendation builds on and improves the mandate in Requirement PRIVACY-11 (OPTIONAL1541
INFORMATION).1542
Regarding "personal information," see Appendix A and PRIVACY-1 (DATA MINIMIZATION). See also1543
the IDESG Usability Requirements (USABLE-1 through USABLE-7) regarding the clarity of notices given1544
to USERS and others.1545
If personal information is requested from USERS during registration that is optional, that1546
designation should include a short and clear description justifying the request of that data.1547
If information collection or attribute value release is designated as mandatory, that designation1548
should include a short and clear description of the consequences of declining to provide that1549
information or allowing that release.1550
If an entity requests to release attributes values during a transaction that are the beyond the1551
minimum necessary to complete that transaction, that release should be clearly presented as1552
optional/a choice. That optional designation should include a short and clear description justifying the1553
release of that data.1554
1555
REGISTRATION, AUTHORIZATION1557
1558
KEYWORDS1559
CHOICE, LIMITATION, NOTICE, USABILITY1560

2
USABLE-BP-A. RECOMMENDED ATTRIBUTEREQUIREMENTS QUERY1561
Entities conducting digital identity management functions SHOULD offer persistent opportunities for1562
USERS to document and communicate their unique requirements about their attributes and how they1563
are used. Entities SHOULD provide good-faith responses to those communications about1564
requirements, before the USER is asked to agree to share their attributes.1565
1566
As a general principle, consent choices or other similar must-see-this-first information should be1568
exchanged in a first encounter, and then honored in and presented in a consistent manner thereafter.1569
Suggested ways for User Experience mitigation include pop-up boxes or email responses to1570
requests. Links to information for additional use and adequate time to read should be included in the1571
process for [end] users.1572
Entities should state clearly in an easy to find manner to users whether identity information is being1573
used.1574
Special attention should be paid to the unique dynamics and vulnerabilities for users around1575
attribute exchanges, particularly toward transparency of communications.1576
See the related user-requirements-gathering processes described in USABLE-7 (USER1577
REQUIREMENTS).1578
1579
REGISTRATION, CREDENTIALING, AUTHENTICATION, AUTHORIZATION,1581
1582
KEYWORDS1583
ACCOMMODATION, ATTRIBUTE, CHOICE, CONSENT, MINIMIZATION, USABILITY1584

3
APPENDIX A: Defined Terms1585
1586
The material below is a partial set of defined terms, a work-in-progress gathered from the IDESG1587
Glossary, the User Experience Committee's "UXC Dictionary wiki", and the Requirements descriptions1588
developed by various IDESG committees.1589
These definitions will be harmonized as a single normative glossary in a future edition of the1590
Requirements. In this document, they are informative but not normative, and may be considered part1591
of the Supplemental Guidance to this Requirements set. Some meanings may vary from Requirement1592
to Requirement based on context.1593
1594
* * *1595
1596
ANONYMOUS: An interaction designed such that the data collected is not sufficient to infer the1597
identity of the USER involved nor is such data sufficient to permit an entity to associate multiple1598
interactions with a USER or to determine patterns of behavior with a USER.1599
1600
DIGITAL IDENTITY MANAGEMENT FUNCTIONS: includes each of the functions described in the IDESG1601
Functional Model (registration, credentialing, authentication, authorization, and intermediation),1602
which also encompass enrollment, identity proofing, identity vetting, access control, attribute1603
management, transaction processing, and identity data maintenance.1604
1605
ENTITY / ENTITIES: Any organization providing identity services.1606
1607
IDENTIFIERS: numbers or other non-attribute designations designed to specify individuals or sets of1608
individuals in a system.1609
1610
NONPROPRIETARY PUBLISHED FORMAT/SPECIFICATION: a known and consistent format that is1611
published and transparent to all RELYING-PARTIES and IDENTITY-PROVIDERS in the relevant network,1612
and is not controlled by a commercial interest.1613
1614
PERSONAL INFORMATION: broadly means any information about or linked to a USER that is collected,1615
used, transmitted, or stored in or by digital identity management functions. <1616
1617
PSEUDONYMOUS: An interaction designed such that the data collected is not sufficient to allow the1618
entity to infer the USER involved but which does permit an entity to associate multiple interactions1619
with the USER’s claimed identity.1620
1621
REDRESS: When (a) an entity offers an opportunity for a party who is transacting with it to complain1622
or ask for adjustment, if the transaction is unsatisfactory to that other party; and (b) the entity1623
responds clearly to each request of that kind; and (c) if the request relates to the entity's failure to1624

4
comply with the IDESG Baseline Requirements, the entity cures the failure to comply, or provides a1625
remedy for the failure.1626
1627
USER: In USABILITY statements, refers to an individual human being. This does not include machines,1628
algorithms, or other non-human agents or actors. Equivalents and related terms may include: user,1629
user centric, user centered, human centered, end user, individual user, user-friendly.1630
In SECURITY statements, may refer either to an individual natural person, or to an entity such as a1631
company or agency: Various security requirements may confer opportunities, rights or remedies on a1632
party or account which is served by a cybersecurity function, whether that account relates to a single1633
human or to an organization.1634
For definitions of user, user-centric and others, see the NSTIC Strategy (page 8 and throughout) :1635
1637
USER-CENTRIC: Systems, design and/or program processes that put the individual human being at1638
the center of the activity. Equivalents and related terms may include: user centric, user centered,1639
human centered, end user, individual user, user-friendly. For definitions of user, user-centric and1640
others, see the NSTIC Strategy (at pages 8, 12, 15, 19, 21, 35 and 36):1641

5
INDEX OF KEYWORDS by page number1643
(non-normative,auto-generated)1644
1645
ACCESSIBLE.........................................................................................................................................49, 511646
ACCOMMODATION......................................................................................................................49, 51, 621647
ACCOUNT...............................................................................................................................26, 41, 51, 521648
ACCOUNTABILITY........................................................................................................................................131649
AGGREGATION..........................................................................................................................................191650
ANONYMITY .............................................................................................................................................261651
ARCHITECTURE.................................................................................................................29, 55, 56, 59, 601652
ASSERTION .......................................................................................................................................6, 7, 541653
ASSESSMENT ....................................................................................................................27, 38, 45, 46, 501654
ATTRIBUTE..................................................................................................................17, 29, 31, 53, 54, 621655
AUDIT ...........................................................................................................................................14, 43, 441656
AUTHENTICATION ..............................................................................................................................37, 381657
CHANGES............................................................................................................................................21, 231658
CHOICE.........................................................................................21, 22, 24, 25, 26, 47, 48, 51, 52, 61, 621659
CLARITY..............................................................................................................................................47, 481660
COMPLIANCE....................................................................................................................12, 13, 14, 57, 581661
CONSENT..........................................................................................................................19, 23, 24, 51, 621662
CONTROL..................................................................................................................................................211663
CONTROLS....................................................................................................................................27, 36, 481664
CORRECTION......................................................................................................................................21, 481665
CREDENTIAL .................................................................................................6, 7, 18, 32, 33, 34, 35, 41, 421666
DATA-INTEGRITY...............................................................................................................31, 32, 33, 34, 591667
DATA-INTERFACE........................................................................................................................................81668
DESIGN .......................................................................................................................19, 45, 48, 49, 50, 561669
DUPLICATION ...........................................................................................................................................321670
EXCHANGE..................................................................................................................................................81671
EXPIRY ................................................................................................................................................41, 421672
FEDERATION.............................................................................................................................................571673
FEEDBACK...........................................................................................................................................50, 511674
IDENTIFIER..................................................................................................................17, 18, 26, 29, 35, 361675
INTERMEDIARIES..................................................................................................................................5, 121676
INTEROPERABILITY......................................................... 5, 6, 7, 8, 9, 12, 13, 14, 52, 53, 54, 55, 56, 57, 581677
LANGUAGE ...............................................................................................................................................471678
LIMITATION...................................................................................15, 16, 17, 18, 19, 22, 25, 27, 28, 59, 611679
LOGS...................................................................................................................................................43, 441680
LOSS....................................................................................................................................................41, 421681
MINIMIZATION.............................................................................................................................15, 17, 621682
MULTIFACTOR...........................................................................................................................................371683

6
NOTICE.........................................................................................................................9, 20, 22, 23, 25, 611684
OPEN-STANDARDS....................................................................................................7, 8, 30, 51, 53, 55, 581685
OPTIONS.............................................................................................................................................47, 481686
PKI ............................................................................................................................................................401687
POLICIES...............................................................................................9, 13, 14, 20, 27, 30, 40, 44, 57, 601688
PORTABILITY.......................................................................................................................................22, 521689
PRIVACY................................................................ 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 291690
PROCESS...................................................................................9, 29, 32, 34, 39, 41, 42, 43, 44, 53, 55, 601691
PROVISIONING .......................................................................................................................34, 35, 36, 411692
PURPOSE ..........................................................................................................................15, 16, 18, 23, 281693
RECOVERY.................................................................................................................................................411694
REDRESS ....................................................................................................................................................131695
REGULATION ............................................................................................................................................581696
REMEDIATION ..........................................................................................................................................451697
RETENTION.........................................................................................................................................21, 281698
REVOCATION............................................................................................................................................421699
RISK.......................................................................................................................13, 18, 19, 27, 30, 38, 591700
SECURITY.............................................................. 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 441701
THIRD-PARTIES...........................................................................................................................5, 6, 12, 221702
TOKEN...................................................................................................................32, 33, 34, 36, 37, 41, 421703
TRANSACTION......................................................................................................................8, 9, 12, 53, 551704
UPTIME.....................................................................................................................................................391705
USABILITY...........................................................................................45, 46, 47, 48, 49, 50, 51, 52, 61, 621706
VALIDATION..............................................................................................................................................141707
17081709

NSTIC IDESG Baseline Requirements for Security, Privacy, UX and Interop

More Related Content

Recently uploaded (20)

Featured (20)

NSTIC IDESG Baseline Requirements for Security, Privacy, UX and Interop