ISO/IEC 27553 – Security and privacy requirements for authentication using biometrics on mobile devices, is divided in two parts, Part 1: Local mode, and Part 2: Remote mode. Part 1 has passed an FDIS ballot and is under publication as an International Standard (IS). Work on Part 2 is being progressed to Working Draft (WD) status.
ISO/IEC 27554 –Application of ISO 31000 for assessment of identity-related risk remains at Committee Draft (CD) status.
ISO/IEC 27560 – Consent record information structure has been progressed to Draft Technical Specification (DTS).
ISO/IEC 27561 – Privacy Operationalization Model and Method for Engineering (POMME) remains at Committee Draft (CD) status.
ISO/IEC 27562 – Privacy guidelines for fintech services has been progressed to Committee Draft (CD) status.
ISO/IEC 27563 – Security and privacy in artificial intelligence use cases will be published as a technical report (TR).
ISO/IEC 27565 – Guidelines on Privacy Preservation based on Zero-Knowledge Proofs remains as Working Draft (WD) status.
New work item proposals (NP) and preliminary work items (PWI):
PWI 6087 – Digital authentication: Risks and mitigations was initiated in 2020-09 and is on-going.
PWI 7732 – Age verification was initiated in 2021-04 and is on-going.
NP 27091 – Cybersecurity and privacy – Artificial intelligence – Privacy protection is being proposed as an NWIP resulting from PWI 6089.
PWI 27564 – Privacy models was initiated in 2022-05 and is on-going.
NP 27566 – Information technology security, cybersecurity and privacy protection – Age assurance systems – Framework is being proposed as an NWIP resulting from PWI 7732.
PWI 27568 – Security and privacy in digital twins has been initiated in 2022-10.
WG 5 Standing documents (SD):
WG 5 SD1 Roadmap is available via the website of JTC 1/SC 27 at https://committee.iso.org/sites/jtc1sc27/home/wg5.html and will be updated reflecting expert contributions and the progress at the WG meeting.
WG 5 SD2 Privacy References List is available via the website of JTC 1/SC 27 at https://committee.iso.org/sites/jtc1sc27/home/wg5.html and will be updated based on contributions received.
WG 5 SD4 Standards Privacy Assessment is available via the website of JTC 1/SC 27 at https://committee.iso.org/sites/jtc1sc27/home/wg5.html and will be updated based on contributions received.
ISO/TC 307 (Blockchain and distributed ledger technologies):
The most relevant ISO activity related to IdM is TC 307 - Blockchain and distributed ledger technologies, created in 2016 and whose scope is “Standardisation of blockchain technologies and distributed ledger technologies."
TC 307 has ISO/TC 307/JWG 4 on Joint ISO/TC 307 - ISO/IEC JTC 1/SC 27 WG: Security, privacy and identity for Blockchain and DLT".
The following work has been completed:
ISO 22739:2020 Blockchain and distributed ledger technologies — Vocabulary was published as an International Standard (IS) in 2020-07Work in progress includes:
ISO TR 23642 Blockchain and distributed ledger technologies - Overview of smart contract security good practice and issues is currently at WD status
ISO TR 23644 Blockchain and distributed ledger technologies - Blockchain and distributed ledger technologies - Overview of trust anchors for DLT-based identity management (TADIM) will be published end of 2022
ISO/PWI 12833 Re-identification and privacy vulnerabilities and mitigation methods in blockchain and distributed ledger technologies is currently at PWI status
W3C (World Wide Web Consortium):
The World Wide Web Consortium (W3C) is an international community where Member organizations, a full-time staff, and the public work together to develop Web standards. W3C's mission is, in their words, to lead the Web to its full potential.
W3C has several activities that are relevant for IdM:
Web Authentication WG
The Web Authentication WG (end date: 15/09/2019) aims to define a client-side (i.e. in the browsers) API providing strong authentication functionality to Web Applications, obviating the limitations of password-based logins (weak security, vulnerable to phishing attacks, not usable).
The following work has been completed:
An API for accessing Public Key Credentials, Level 2 on 8 April 2021.
Decentralized Identifiers WG
The recently started Decentralized Identifiers WG (DID, end date: 15/04/2021) has been proposed to enable identifiers that (from their charter):
1. are controlled by individuals, organizations, and machines, not leased from an authority (e.g. DNS Registrars).
2. are cryptographically verifiable and can authenticate their owners (e.g. DID- based website login).
3. are dereferenceable. i.e. they can be dereferenced to a document that provides information on how to start a secure and privacy preserving communication with the owner (e.g. a set of public keys and a set of service endpoints).
The WG will focus on the following points:
1. Define the DID URI scheme.
2. Recommend a data model and syntax(es) for the expression of Decentralized Identifier Documents, including one or more core vocabularies.
The following work has been completed:
Decentralized Identifiers (DIDs) v1.0
Verifiable Claims WG
The Verifiable Claims WG (end date: 30/09/2019) aims at creating a standard that makes it easy for users to assert their verifiable qualifications to a service provider (e.g. my loyalty card number is X, I have an account at Bank Y, I am over the age of 21, I am a citizen of the USA, I have a degree in Mathematics, etc.). Such standard would allow expressing, exchanging, and verifying claims on the Web more easily and securely, across different industry sectors, and independently from a particular claim provider.
The following work has been completed:
Verifiable Credentials Data Model 1.0
Data Privacy Vocabularies and Controls CG
The mission of the W3C Data Privacy Vocabularies and Controls CG (DPVCG) is to develop a taxonomy of privacy terms, which include terms from the new European General Data Protection Regulation (GDPR). The aim is to provide a machine-readable vocabulary to annotate and categorize instances of legally compliant personal data processing according to the GDPR.
The taxonomy currently discussed in the group contains terms (classes and properties) related to the following concepts (corresponding to GDPR concepts):
- Personal Data Categories
- Purposes
- Processing Categories
- Technical and Organisational Measures
- Legal Basis
- Consent
- Recipients, Data Controllers, Data Subjects
Work in progress includes:
Data Protection Aspects of Online Shopping – A Use Case
NIST (National Institute of Standards and Technology):
Under the Systems and Emerging Technologies Security Research grouping, NIST has established a program on Personal Identity Verification of Federal Employees and Contractors.
The following technical publications have been developed:
NIST Special Publication 800-63-3, Digital Identity Guidelines
NIST Special Publication 800-63A, Digital Identity Guidelines: Enrollment and Identity Proofing
NIST Special Publication 800-63B, Digital Identity Guidelines: Authentication and Lifecycle Management
NIST Special Publication 800-63C, Digital Identity Guidelines: Federation and Assertions
NIST Special Publication 800-73-4, Interfaces for Personal Identity Verification specifies the interface and data elements of the PIV card.
NIST Special Publication 800-76-2, Biometric Data Specification for Personal Identity Verification specifies the technical acquisition and formatting requirements for biometric data of the PIV system.
NIST Special Publication 800-78-4, "Cryptographic Algorithms and Key Sizes for Personal Identity Verification specifies the acceptable cryptographic algorithms and key sizes to be implemented and used for the PIV system.
NIST Special Publication 800-157, Guidelines for Derived Personal Identity Verification (PIV) Credentials
NIST Special Publication 800-178, A Comparison of Attribute Based Access Control (ABAC) Standards for Data Service Applications: Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC)
NIST Special Publication 1800-3, Attribute Based Access Control (2nd Draft)
NIST Special Publication 1800-12, Derived Personal Identity Verification (PIV) Credentials
NIST Special Publication 1800-17, Multifactor Authentication for E-Commerce: Risk-Based, FIDO Universal Second Factor Implementations for Purchasers
For the latest versions and revisions of the above NIST publications please see
http://csrc.nist.gov/publications/PubsSPs.html.
FIDO Alliance:
FIDO2 SPECIFICATIONS
UAF SPECIFICATIONS
FIDO2 AND UAF COMMON FILES
U2F SPECIFICATIONS
The latest versions of the FIDO Alliance user authentication specifications are available at https://fidoalliance.org/specifications/download/
2. Gap analysis on IdM standard development activities
In the existing IdM standardisation efforts there appear to be two clear trends. One trend is the drive for federation and interoperability, mainly pushed by the Liberty Alliance and OASIS. The efforts in the standardisation of web services have matured quite well, primarily through the work of Liberty Alliance but also through the OASIS work. The development of federation standards for the general information system sector and the telecom sector is included in current and planned work of both ITU-T and ISO/IEC. The big issue associated with federation is interoperability and harmonisation of the different federation stands and solutions. The second trend is the drift from standards for organisation-centric identity management systems towards a more deliberate suit of standards trying to find a reasonable balance between end users need for security and privacy and the organisation or business needs for security and information.
3. Approved IdM standards
Approved and published IdM standards are included in the database of standards included in Part
2 of this Roadmap.
Recent
developments in IdM standards are addressed in the IdM
landscape wiki,
which contains informal and evolving information as well as in Part 3 of this Roadmap under
the Programs of Work of the various standards bodies.
4. Best practices
ENISA: Mobile identity management (April 2010)
This position paper reports on information security risks and best practice in the area of Mobile Identity Management (Mobile IDM). It also provides recommendations of systems, protocols and/or approaches to address these challenges.
Identity Management, Electronic Authentication and Secure Development
ENISA: Remote ID Proofing (March 11, 2021)
EC Progress report on standardisation activities and technical sustainability plans (August 2019)
5. Identity management in cloud computing
OASIS Identity in the Cloud (The Technical Committee was closed by the OASIS TC Administrator on 07 November 2016)
6. National identity management strategies
Next steps outlined for UK's use of digital identity (September 2020)
National strategy for trusted identities in cyberspace draft (U.S) (APRIL 2011)
Open Identity Exchange (U.S) (14th October 2021)
NSW Government Identity Strategy(AU)
7. Other relevant IdM activities and papers
None.
Bibliography
None.