Federation Assurance Level (FAL)

[KantaraInitiative-IAWG]

Organization: Kantara Initiative

Type: 2

Document (63-3, 63A, 63B, or 63C): SP 800-63C

Reference (Include section and paragraph number): Section 7 - Federation Assurance Level (FAL)

(KI Ref: KI/ADG#37)

Comment (Include rationale for comment): The FAL is described as a scale that increases, but what is it measuring? What is increasing about the scale? Why does indirect exceed direct?

Suggested Change: Please provide an explanation for why indirect assertions are ranked above direct assertions.

[jricher]

Indirect assertions don't leak information through the browser, as described in the section that defines indirect and direct presentation methods. This can be clarified if warranted.

[vanderaj]

As the lead author of the OWASP Application Security Verification Standard, I would love to see a three level FAL, which we could map directly into our standard. We have the following levels:

L1 - apps which have limited risk: brochureware, public websites or games, with basic integrity and limited confidentiality requirements L2 - most apps fall into L2: LOB apps, ERP systems, logistics, mining, travel industry booking systems, etc, etc L3 - risky apps fall into L3: those apps that can kill you (medical and automotive apps), financial apps that handle many millions of dollars of transactions per day, international or national finance backends, and those where malicious code and backdoors are a significant threat

Let me know if I can help give more substantive feedback here, or align our standard with yours as we have many ASVS authentication requirements which are a perfect 1:1 match for this standard

[jricher]

We tried to make the FAL align with technical implementation requirements without being specific to the underlying protocol. Your levels sound reasonable as an assessment of risk, which is to say, what will go wrong if it's broken. As opposed to that, we're trying to describe the positive aspect of what to deploy and how that can be compared.

[sshorter]

Direct assertions can expose some metadata to the browser, but trusted channel with end-to-end authentication and encryption will not leak the authentication protocol messages to the client nor allow the client to modify them. The decision to rank indirect assertions higher than direct assertions seems arbitrary.

[jricher]

It's not arbitrary, and if you see the current text you'll note that encrypted assertions through the browser are held at a similar weight to signed assertions fetched by reference.

[sshorter]

Thanks Justin. Not saying that it is arbitrary, just that is seems that way since we can’t see the rationale. For example, the following questions come to mind from the current text:

Why does the current require encryption to the RP at different FAL levels for indirect vs direct? Why does FAL2 map to LOA2 and LOA3 in the “strict adherence” table? What is the basis for the differences between the “strict adherence” table and the “agency guidance” table?

On Aug 25, 2016, at 4:18 PM, Justin Richer notifications@github.com<mailto:notifications@github.com> wrote:

It's not arbitrary, and if you see the current text you'll note that encrypted assertions through the browser are held at a similar weight to signed assertions fetched by reference.

— You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://github.com/usnistgov/800-63-3/issues/279#issuecomment-242523425, or mute the threadhttps://github.com/notifications/unsubscribe-auth/ASZZ1W67OUZbXtOjU2BaEXM9xzOLN7cmks5qjfh9gaJpZM4Jo6MI.

[jricher]

Why does the current require encryption to the RP at different FAL levels for indirect vs direct?

Direct offers higher assurance without the need for per-RP encryption to protect attributes and transaction information from interstitial parties (including the browser).

Why does FAL2 map to LOA2 and LOA3 in the “strict adherence” table?

This is based on MB04-04's definitions of the LOA and the strict interpretation of that document in light of the new categories.

What is the basis for the differences between the “strict adherence” table and the “agency guidance” table?

As stated in the document, the guidance table is a reflection of what NIST believes the appropriate future guidance should be, regardless of the content of MB04-04.

[sshorter]

1. After reading the preceding sections, one would think that direct presentation offers lower assurance, not higher. Section 6.1 describes the reduced attack surface of an indirectly presented assertion, and Section 6.2 discusses the threat of a misbehaving client to the direct presentation model. Why would that threat be left unmitigated at FAL2 (which we should remember will map to LOA3)?
2. Okay.
3. This distinction between "strict adherence to M-04-04" and the expanded ALs could use some explanation, because it's not clear what's going on. In reviewing the sections it seems that for 63A, the rule for the expanded table seems to be "strict AL or lower", whereas 63B and 63C the rule is "strict AL or higher". Perhaps 63-3 could include some discussion of what those tables are for and when they should be used.

[jricher]

1) Yes, you're correct. You'll note that the table has the correct requirements for direct and indirect. I got the terms backwards in my response, which is to me a good indication that we need better terms. That's being discussed under another issue.

3) Noted, please file that as a new issue so that we can track it and tag it as applying to 63-3.

[sshorter]

1) Maybe I'm reading the table incorrectly, because I do not note that. What I see in the first table in 7.1 is that plaintext direct assertions are permitted at the same level that requires encrypted indirect assertions.

3) Will do.