Editor’s Note: The NIST Interagency Report NISTIR 7817, A Credential Reliability and Revocation Model for Federated Identities by Hildegard Ferraiolo is attached here. The Introduction is below.
Identity providers establish and manage their user community’s digital identities. These identities (in the form of digital credentials) are employed by users to authenticate to service providers. The digital identity technology deployed by an identity provider for the population of its users varies and often dictates a specific authentication solution in order for the service provider to authenticate the user.
A federated community accommodates two or more identity providers along with the specific authentication solution. With the diverse set of identity providers and the unique business requirements for organizations to federate, there is no uniform approach in the federation process. Similarly, there is no uniform method to revoke credentials or their associated attribute(s). In the absence of a uniform method, this document investigates credential and attribute revocation with a particular focus on identifying missing requirements for revocation. As a by-product of the analysis and recommendations, this document also suggests a model for credential reliability and revocation services that serves to address some of the missing requirements.