Bridging the Gap: Managing Dual Assurance Levels in OpenID Connect
Resumo
This paper introduces and addresses challenges in managing electronic identity’s Level of Assurance (LoA), which has two types: LoA of authentication and LoA of identity. We explore different technical specifications, protocols, and concrete identity providers’ strategies for managing these two levels of assurance, highlighting the implications of protocols supporting only a single LoA instead of two. An extension to the OpenID Connect protocol is proposed to support both LoA types, instituting a new claim, the Identity Context Class Reference (ICR). This approach ensures compatibility and versatility with existing technical specifications.Referências
Burr, W., Dodson, D., and Polk, T. (2006). Electronic authentication guideline. Technical Report NIST Special Publication (SP) 800-63 Version 1.0.2, National Institute of Standards and Technology, Gaithersburg, MD.
Campbell, B., Mortimore, C., and Jones, M. B. (2015). Security Assertion Markup Language (SAML) 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants. RFC 7522.
Council of European Union (2014). Regulation no 910/2014 of the european parliament.
European Comission (2015). Commission implementing regulation (eu) 2015/1502.
Grassi, P., Garcia, M., and Fenton, J. (2017). Digital identity guidelines. Technical Report NIST Special Publication (SP) 800-63-3, Includes updates as of February 03, 2020, National Institute of Standards and Technology, Gaithersburg, MD.
Johansson, L. (2012). An IANA Registry for Level of Assurance (LoA) Profiles. RFC 6711.
MGISP (2021). Conta gov.br. Available at [link], accessed on 13/06/2024.
MitID (2024). About mitid. Available at [link], accessed on 15/06/2024.
Sakimura, N., Bradley, J., Jones, M., De Medeiros, B., and Mortimore, C. (2014). Openid connect core 1.0. The OpenID Foundation, page S3.
Silva, B. V. R., Schardong, F., Junior, L. C. V., and Custódio, R. F. (2023). Identificaçao eletrônica do registro civil do brasil. In Anais Estendidos do XXIII Simpósio Brasileiro em Segurança da Informação e de Sistemas Computacionais, pages 89–92. SBC.
Vale, C. A., Schardong, F., Barros, M., and Custódio, R. (2022). Touchless authentication for health professionals: Analyzing the risks and proposing alternatives to dirty interfaces. In 2022 IEEE 35th International Symposium on Computer-Based Medical Systems (CBMS), pages 459–464. IEEE.
Campbell, B., Mortimore, C., and Jones, M. B. (2015). Security Assertion Markup Language (SAML) 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants. RFC 7522.
Council of European Union (2014). Regulation no 910/2014 of the european parliament.
European Comission (2015). Commission implementing regulation (eu) 2015/1502.
Grassi, P., Garcia, M., and Fenton, J. (2017). Digital identity guidelines. Technical Report NIST Special Publication (SP) 800-63-3, Includes updates as of February 03, 2020, National Institute of Standards and Technology, Gaithersburg, MD.
Johansson, L. (2012). An IANA Registry for Level of Assurance (LoA) Profiles. RFC 6711.
MGISP (2021). Conta gov.br. Available at [link], accessed on 13/06/2024.
MitID (2024). About mitid. Available at [link], accessed on 15/06/2024.
Sakimura, N., Bradley, J., Jones, M., De Medeiros, B., and Mortimore, C. (2014). Openid connect core 1.0. The OpenID Foundation, page S3.
Silva, B. V. R., Schardong, F., Junior, L. C. V., and Custódio, R. F. (2023). Identificaçao eletrônica do registro civil do brasil. In Anais Estendidos do XXIII Simpósio Brasileiro em Segurança da Informação e de Sistemas Computacionais, pages 89–92. SBC.
Vale, C. A., Schardong, F., Barros, M., and Custódio, R. (2022). Touchless authentication for health professionals: Analyzing the risks and proposing alternatives to dirty interfaces. In 2022 IEEE 35th International Symposium on Computer-Based Medical Systems (CBMS), pages 459–464. IEEE.
Publicado
16/09/2024
Como Citar
SILVA, Brendon Vicente R.; SCHARDONG, Frederico; CUSTÓDIO, Ricardo F..
Bridging the Gap: Managing Dual Assurance Levels in OpenID Connect. In: WORKSHOP DE GESTÃO DE IDENTIDADES DIGITAIS - SIMPÓSIO BRASILEIRO DE SEGURANÇA DA INFORMAÇÃO E DE SISTEMAS COMPUTACIONAIS (SBSEG), 24. , 2024, São José dos Campos/SP.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2024
.
p. 185-188.
DOI: https://doi.org/10.5753/sbseg_estendido.2024.243389.
