https://artifacts.trustmarkinitiative.org/lib/tds/federation---validation-of-assertion-confidentiality/1.0/Federation - Validation of Assertion Confidentiality1.0Relying Parties must require assertions to be encrypted or delivered via protected and authenticated channels.2019-04-05T00:00:00.000Zhttps://trustmarkinitiative.org/Trustmark InitiativePRIMARYTrustmark Supporthelp@trustmarkinitiative.org555-555-5555https://trustmarkinitiative.org/This artifact is published by the Georgia Tech Research Institute (GTRI) as part of the Trustmark Initiative. This artifact and the information contained herein is provided on an "AS IS" basis, and GTRI disclaims all warranties, express or implied, including but not limited to any warranty that the use of the information herein will not infringe any rights or any implied warranties or merchantability or fitness for a particular purpose. In addition, GTRI disclaims legal liability for any loss incurred as a result of the use or reliance on the document or the information contained herein.AccessActive AttackAddress of RecordApplicantApproved CryptographyAssertionAssertion ReferenceAsymmetric KeysAttackAttackerAttributeAttribute BundleAttribute ReferenceAttribute ValueAuthenticateauthentication.]]>Authenticated Protected ChannelAuthenticationAuthentication Factorsomething you know, something you have, and something you are. Every authenticator has one or more authentication factors.]]>Authentication IntentAuthentication ProtocolAuthentication Protocol RunAuthentication Secretshort-term authentication secrets, which are only useful to an attacker for a limited period of time, and long-term authentication secrets, which allow an attacker to impersonate the subscriber until they are manually reset. The authenticator secret is the canonical example of a long-term authentication secret, while the authenticator output, if it is different from the authenticator secret, is usually a short-term authentication secret.]]>Authenticatortoken.]]>Authenticator Assurance LevelAALAuthenticator OutputAuthenticator SecretAuthenticator TypeAuthenticityAuthoritative SourceAuthorizeBack-Channel CommunicationBearer AssertionBindingBiometricsChallenge-Response ProtocolClaimantClaimed AddressClaimed IdentityCompletely Automated Public Turing test to tell Computers and Humans ApartCAPTCHACredentialCredential Service ProviderCSPCross-site Request ForgeryCSRFCross-site ScriptingXSSCryptographic AuthenticatorCryptographic Keyasymmetric keys, symmetric key.]]>Cryptographic ModuleData IntegrityDerived CredentialDigital AuthenticationElectronic Authentication.]]>Digital SignatureDiversionaryEavesdropping AttackElectronic AuthenticationE-Authenticationdigital authentication.]]>EnrollmentEntropyn bits of entropy has the same degree of uncertainty as a uniformly distributed n-bit random value.]]>Federal Information Processing StandardFIPSFederationFederation Assurance LevelFALFederation ProxyFront-Channel CommunicationHash FunctionIdentityIdentity Assurance LevelIALIdentity EvidenceIdentity ProofingIdentity ProviderIdPIssuing SourceKerberosKnowledge-Based VerificationKBVMan-in-the-Middle AttackMitMMitMAMemorized Secretsomething they know as part of an authentication process.]]>Message Authentication CodeMACMobile CodeMulti-Factorauthentication factor for successful authentication. MFA can be performed using a single authenticator that provides more than one factor or by a combination of authenticators that provide different factors. The three authentication factors are something you know, something you have, and something you are.]]>Multi-Factor AuthenticationMFAauthentication factor for successful authentication. Multi-factor authentication can be performed using a multi-factor authenticator or by a combination of authenticators that provide different factors. The three authentication factors are something you know, something you have, and something you are.]]>Multi-Factor AuthenticatorNetworkNonceOffline AttackOnline AttackOnline Guessing AttackPairwise Pseudonymous IdentifierPassive AttackPassphrasePasswordmemorized secret.]]>Personal Datapersonally identifiable information.]]>Personal Identification NumberPINPersonal Informationpersonally identifiable information.]]>Personally Identifiable InformationPIIPharmingPhishingPossession and Control of an AuthenticatorPractice StatementPresentation AttackPresentation Attack DetectionPADliveness detection, involve measurement and analysis of anatomical characteristics or involuntary or voluntary reactions, in order to determine if a biometric sample is being captured from a living subject present at the point of capture.]]>Private CredentialsPrivate KeyProtected Sessionauthenticated if, during the session, they prove possession of one or more authenticators in addition to the session keys, and if the other party can verify the identity associated with the authenticator(s). If both participants are authenticated, the protected session is said to be mutually authenticated.]]>PseudonymPseudonymityPseudonymous IdentifierPublic CredentialsPublic KeyPublic Key CertificatePublic Key InfrastructurePKIReauthenticationRegistrationenrollment.]]>Relying PartyRPRemoteIn the context of remote authentication or remote transaction) An information exchange between network-connected devices where the information cannot be reliably protected end-to-end by a single organization's security controls.]]>Replay AttackReplay ResistanceRestrictedRisk AssessmentRisk ManagementSaltSecure Sockets LayerSSLTransport Layer Security (TLS).]]>SessionSession Hijack AttackShared SecretSide-Channel AttackSingle-FactorSocial EngineeringSpecial PublicationSPSubjectSubscriberSymmetric KeyTokenauthenticator.]]>Token Authenticatorauthenticator output.]]>Token Secretauthenticator secret.]]>TransactionTransport Layer SecurityTLSTrust AnchorUsabilityVerifierVerifier ImpersonationVirtual In-Person ProofingWeakly Bound CredentialsZero-Knowledge Password ProtocolZeroizeNIST SP 800-63CNIST Special Publication 800-63C, Digital Identity Guidelines: Federation and Assertions. June 2017. https://doi.org/10.6028/NIST.SP.800-63c.1C1<ul>
<li>The RP SHALL NOT accept an assertion at FAL2 or FAL3 unless the assertion is encrypted using approved cryptography.
<li>The RP SHALL NOT accept any assertion that is not encrypted using approved cryptography, unless it received the assertion via an authenticated protected channel.
<li>The RP SHALL NOT accept any unencrypted assertion that it received from an IdP via a third party, such as a browser.
</ul>1Assertion EncryptionDoes the RP require assertions to be encrypted or retrieves them directly from authoritative sources via authenticated and protected channels? Assertions passed through browsers must be encrypted. Assertions relayed directly from IdP to RP only have to be encrypted at FAL3.A1