Merge pull request usnistgov#1964 from usnistgov/errata-2

Publish Errata 2 (03-02-2020)

_config.yml

@@ -21,6 +21,11 @@ exclude:
 - README.md
 - CONTRIBUTING.md
 - LICENSE.md
+- docker-compose.yml
+- sp800-63-3/*.md
+- sp800-63a/*.md
+- sp800-63b/*.md
+- sp800-63c/*.md
 
 # GitHub information
 org_name: usnistgov

_includes/NISTPagesFooter.html

@@ -1,8 +0,0 @@
-<hr>
-<section class="footer">
-<br><a target="_blank" href="http://www.nist.gov/public_affairs/privacy.cfm#privpolicy">Privacy Policy</a> | <a target="_blank" href="http://www.nist.gov/public_affairs/privacy.cfm#secnot">Security Notice</a> | <a href="http://www.nist.gov/public_affairs/privacy.cfm#accesstate">Accessibility Statement</a> | <a href="https://github.com/{{ site.org_name }}/{{ site.repo_name }}/issues/">Send feedback</a>
-  <a href="{{ site.baseurl }}/comment_help.html" class="icon icon-fa">
-    <i class="fa fa-question-circle" title="Get help with leaving a comment" aria-hidden="true"></i>
-    <span class="sr-only">Get help with leaving a comment</span>
-  </a>
-</section>

_includes/NISTPagesHeader.html

@@ -11,6 +11,11 @@
     <script type="text/javascript" id="_fed_an_ua_tag"
             src="https://dap.digitalgov.gov/Universal-Federated-Analytics-Min.js?agency=DOC&subagency=NIST&pua=UA-66610693-1&yt=true&exts=ppsx,pps,f90,sch,rtf,wrl,txz,m1v,xlsm,msi,xsd,f,tif,eps,mpg,xml,pl,xlt,c"></script>
 
+    <!-- NIST Pages dynamic header and footer -->
+    <link rel="stylesheet" href="https://pages.nist.gov/nist-header-footer/css/nist-combined.css">
+    <script src="https://pages.nist.gov/nist-header-footer/js/jquery-1.9.0.min.js" type="text/javascript" defer="defer"></script>
+    <script src="https://pages.nist.gov/nist-header-footer/js/nist-header-footer.js" type="text/javascript" defer="defer"></script>
+
     <!-- Custom CSS -->
     <link rel="stylesheet" href="{{ site.baseurl }}/static/css/NISTStyle.css">
     <link rel="stylesheet" href="{{ site.baseurl }}/static/css/NISTPages.css">
@@ -40,16 +45,3 @@
     {% endif %}
 </head>
 <body>
-<header class="nist-header">
-    <h1>
-        <a class="nist-logo" target="_blank" href="http://www.nist.gov/" title="Go to nist.gov">National Institute of
-            Standards and Technology</a>
-    </h1>
-    <div class="nist-links">
-        <a class="nist-links-button" target="_blank" href="http://www.nist.gov">NIST Website</a>
-        <a class="nist-links-button mobile-hide" target="_blank" href="http://www.nist.gov/public_affairs/nandyou.cfm">About
-            NIST</a>
-        <a class="nist-links-button mobile-hide" target="_blank" href="https://github.com/usnistgov">usnistgov on
-            Github</a>
-    </div>
-</header>

docker-compose.yml

@@ -0,0 +1,10 @@
+version: '3'
+
+services:
+  server:
+    image: jricher/nistpages-dev
+    volumes:
+      - .:/srv/jekyll
+    command: serve
+    ports:
+      - "4000:4000"

sp800-63-3.md

@@ -6,6 +6,7 @@ description: "NIST Special Publication 800-63-3"
 
 {{ site.time | date_to_rfc822 }}
 {% include_relative sp800-63-3/cover.md %}
+{% include_relative sp800-63-3/errata.md %}
 {% include_relative sp800-63-3/sec1_2_introduction.md %}
 {% include_relative sp800-63-3/sec3_definitions.md %}
 {% include_relative sp800-63-3/sec4_model.md %}

sp800-63-3/cover.md

@@ -38,7 +38,8 @@ https://doi.org/10.6028/NIST.SP.800-63-3
 This publication is available free of charge from:  
 https://doi.org/10.6028/NIST.SP.800-63-3  
 
-June 2017
+June 2017  
+Includes [updates](#errata) as of 03-02-2020
 
 ![](sp800-63-3/media/commerce_logo.png)
 

sp800-63-3/definitions.md

@@ -99,6 +99,9 @@ The property that data originated from its purported source.
 #### Authoritative Source
 An entity that has access to, or verified copies of, accurate information from an issuing source such that a CSP can confirm the validity of the identity evidence supplied by an applicant during identity proofing. An issuing source may also be an authoritative source. Often, authoritative sources are determined by a policy decision of the agency or CSP before they can be used in the identity proofing validation phase.
 
+#### Authorization Component
+Something issued to an RP by an IdP during an identity federation transaction that grants the RP authorized access to a set of APIs (e.g., an OAuth access token). This credential can be separate from the assertion provided by the federation protocol (e.g., an OpenID Connect ID Token).
+
 #### Authorize
 A decision to grant [access](#access), typically automated by evaluating a subject's attributes.
 
@@ -225,7 +228,7 @@ Information or documentation provided by the applicant to support the claimed id
 The process by which a CSP collects, validates, and verifies information about a person.
 
 #### Identity Provider (IdP)
-The party that manages the subscriber’s primary authentication credentials and issues assertions derived from those credentials. This is commonly the CSP as discussed within this document suite.
+The party that manages the subscriber's primary authentication credentials and issues assertions derived from those credentials. This is commonly the CSP as discussed within this document suite.
 
 #### Issuing Source
 An authority responsible for the generation of data, digital evidence (such as assertions), or physical documents that can be used as identity evidence.
@@ -342,9 +345,6 @@ A session wherein messages between two participants are encrypted and integrity
 
 A participant is said to be *authenticated* if, during the session, they prove possession of one or more authenticators in addition to the session keys, and if the other party can verify the identity associated with the authenticator(s). If both participants are authenticated, the protected session is said to be *mutually authenticated*.
 
-#### Protected Session
-A session established on an authenticated protected channel.
-
 #### Pseudonym
 A name other than a legal name.
 

sp800-63-3/errata.md

@@ -0,0 +1,20 @@
+<div class="breaker"></div>
+<a name="errata"></a>
+
+<div class="text-center" markdown="1">
+## Errata
+</div> 
+
+This table contains changes that have been incorporated into Special Publication 800-63-3. Errata updates can include corrections, clarifications, or other minor changes in the publication that are either editorial or substantive in nature.
+
+|Date|Type|Change|Location
+|----|----|----|----|
+|2017-12-01|Editorial|Removed the term 'cryptographic' from the AAL3 description.|Executive Summary|
+||Editorial|Updated reference to Risk Management Framework|§5|
+||Editorial|Fixed verbiage in xAL flowcharts|Figures 6-1, 6-2, and 6-3|
+||Editorial|Added NISTIR 8062 as a reference|§8.1|
+||Editorial|Added definitions for disassociability, manageability, processing, and predictability|Appendix A|
+|2020-03-02|Editorial|Fixed wording of FAL3 definition|§5.2|
+||Substantive|Clarified flowcharts for xAL selection|Figures 6-1, 6-2, and 6-3|
+||Substantive|Added definition for Authorization Component|Appendix A|
+||Editorial|Removed extraneous definition of Protected Session|Appendix A|

sp800-63-3/sec5_DIRM.md

@@ -61,7 +61,7 @@ A summary of each of the identity, authenticator, and federation assurance level
 |:----------------------|
 |**FAL1:** FAL1 permits the RP to receive a bearer assertion from an identity provider (IdP). The IdP must sign the assertion using approved cryptography.|
 |**FAL2:** FAL2 adds the requirement that the assertion be encrypted using approved cryptography such that the RP is the only party that can decrypt it.|
-|**FAL3:** FAL3 requires the subscriber to present proof of possession of a cryptographic key reference to in the assertion and the assertion artifact itself. The assertion must be signed using approved cryptography and encrypted to the RP using approved cryptography.|
+|**FAL3:** FAL3 requires the subscriber to present proof of possession of a cryptographic key referenced in the assertion along with the assertion itself. The assertion must be signed using approved cryptography and encrypted to the RP using approved cryptography.|
 
 When described generically or bundled, these guidelines will refer to IAL, AAL, and FAL as **_xAL_**.
 

sp800-63a.md

@@ -6,6 +6,7 @@ description: "NIST Special Publication 800-63A"
 
 {{ site.time | date_to_rfc822 }}
 {% include_relative sp800-63a/cover.md %}
+{% include_relative sp800-63a/errata.md %}
 {% include_relative sp800-63a/sec1_2_introduction.md %}
 {% include_relative sp800-63a/sec3_definitions.md %}
 {% include_relative sp800-63a/sec4_ial.md %}

sp800-63a/cover.md

@@ -52,7 +52,8 @@ This publication is available free of charge from:
 https://doi.org/10.6028/NIST.SP.800-63a   
 
 
-June 2017
+June 2017  
+Includes [updates](#errata) as of 03-02-2020
 
 ![](sp800-63-3/media/commerce_logo.png)
 

sp800-63a/errata.md

@@ -0,0 +1,25 @@
+<div class="breaker"></div>
+<a name="errata"></a>
+
+<div class="text-center" markdown="1">
+## Errata
+</div> 
+
+This table contains changes that have been incorporated into Special Publication 800-63A. Errata updates can include corrections, clarifications, or other minor changes in the publication that are either editorial or substantive in nature.
+
+|Date|Type|Change|Location
+|----|----|----|----|
+|2017-12-01|Editorial|Made minor grammatical edits throughout the document.|N/A|
+||Editorial|Changed §6 'Normative' to 'Informative'|Table 2-1|
+||Substantive|Changed 'Normative' to 'Informative'|§4.1|
+||Editorial|Confirmed 'Normative'|§4.2|
+||Substantive|Clarified the requirements about processing of attributes|§4.2 Bullet 4
+||Editorial|Remove redundant word|§4.3|
+||Substantive|Clarified and removed ambiguity in requirement|§4.4|
+||Substantive|Clarified requirement|§4.4.1.3|
+||Substantive|Clarified and removed ambiguity in requirement|§4.4.1.6|
+||Substantive|Changed the title to processing limitation; clarified the language, incorporated privacy objectives language, and specified that consent is explicit|§8.3|
+||Editorial|Added NISTIR 8062 as a reference|§10.1|
+|2020-03-02|Editorial|Updated Type and Change of the §4.3 errata update (2017-12-01)|Errata table|
+||Editorial|Updated Change in Table 2-1 errata update (2017-12-01) to specify the changed row|Errata table|
+||Editorial|Removed entry for change made to §6 in the 2017-12-01 errata update since no change was made|Errata table|

sp800-63a/sec4_ial.md

@@ -72,7 +72,7 @@ The following requirements apply to any CSP performing identity proofing at IAL2
 		<li><a name="4.2-r2"></a>Collection of PII SHALL be limited to the minimum necessary to validate the existence of the claimed identity and associate the claimed identity with the applicant providing identity evidence for appropriate identity resolution, validation, and verification. This MAY include attributes that correlate identity evidence to authoritative sources and to provide RPs with attributes used to make authorization decisions.</li>
 		<li><a name="4.2-r3"></a>The CSP SHALL provide explicit notice to the applicant at the time of collection regarding the purpose for collecting and maintaining a record of the attributes necessary for identity proofing, including whether such attributes are voluntary or mandatory to complete the identity proofing process, and the consequences for not providing the attributes.
 		</li>
-		<li><a name="4.2-r4"></a>If CSPs process attributes for purposes other than identity proofing, authentication, or attribute assertions (collectively “identity service”), related fraud mitigation, or to comply with law or legal process, CSPs SHALL implement measures to maintain predictability and manageability commensurate with the privacy risk arising from the additional processing. Measures MAY include providing clear notice, obtaining subscriber consent, or enabling selective use or disclosure of attributes. When CSPs use consent measures, CSPs SHALL NOT make consent for the additional processing a condition of the identity service.</li>
+		<li><a name="4.2-r4"></a>If CSPs process attributes for purposes other than identity proofing, authentication, or attribute assertions (collectively "identity service"), related fraud mitigation, or to comply with law or legal process, CSPs SHALL implement measures to maintain predictability and manageability commensurate with the privacy risk arising from the additional processing. Measures MAY include providing clear notice, obtaining subscriber consent, or enabling selective use or disclosure of attributes. When CSPs use consent measures, CSPs SHALL NOT make consent for the additional processing a condition of the identity service.</li>
 		<li><a name="4.2-r5"></a>The CSP SHALL provide mechanisms for redress of applicant complaints or problems arising from the identity proofing. These mechanisms SHALL be easy for applicants to find and use. The CSP SHALL assess the mechanisms for their efficacy in achieving resolution of complaints or problems.</li>
 		<li><a name="4.2-r6"></a>The identity proofing and enrollment processes SHALL be performed according to an applicable written policy or *practice statement* that specifies the particular steps taken to verify identities. The *practice statement* SHALL include control information detailing how the CSP handles proofing errors that result in an applicant not being successfully enrolled. For example, the number of retries allowed, proofing alternatives (e.g., in-person if remote fails), or fraud counter-measures when anomalies are detected.</li>
 		<li><a name="4.2-r7"></a>The CSP SHALL maintain a record, including audit logs, of all steps taken to verify the identity of the applicant and SHALL record the types of identity evidence presented in the proofing process. The CSP SHALL conduct a risk management process, including assessments of privacy and security risks to determine:</li>

sp800-63b.md

@@ -6,6 +6,7 @@ description: "NIST Special Publication 800-63B"
 
 {{ site.time | date_to_rfc822 }}
 {% include_relative sp800-63b/cover.md %}
+{% include_relative sp800-63b/errata.md %}
 {% include_relative sp800-63b/sec1_2_introduction.md %}
 {% include_relative sp800-63b/sec3_definitions.md %}
 {% include_relative sp800-63b/sec4_aal.md %}

sp800-63b/cover.md

@@ -75,7 +75,8 @@ https://doi.org/10.6028/NIST.SP.800-63b
 This publication is available free of charge from:    
 https://doi.org/10.6028/NIST.SP.800-63b    
 
-June 2017
+June 2017  
+Includes [updates](#errata) as of 03-02-2020
 
 ![](sp800-63-3/media/commerce_logo.png)
 

sp800-63b/errata.md

@@ -0,0 +1,29 @@
+<div class="breaker"></div>
+<a name="errata"></a>
+
+<div class="text-center" markdown="1">
+## Errata
+</div> 
+
+This table contains changes that have been incorporated into Special Publication 800-63B. Errata updates can include corrections, clarifications, or other minor changes in the publication that are either editorial or substantive in nature.
+
+|Date|Type|Change|Location|
+|----|----|----|----|
+|2017-12-01|Editorial|Updated AAL descriptions for consistency with other text in document|Introduction|
+||Editorial|Deleted "cryptographic" to consistently reflect authenticator options at AAL3|§4.3|
+||Substantive|Refined the requirements about processing of attributes|§4.4|
+||Editorial|Make language regarding activation factors for multifactor authenticators consistent|§5.1.5.1, 5.1.8.1, and 5.1.9.1|
+||Substantive|Recognize use of hardware TPM as hardware crypto authenticator|§5.1.7.1, 5.1.9.1|
+||Editorial|Improve normative language on authenticated protected channels for biometrics|§5.2.3|
+||Editorial|Changed "transaction" to "binding transaction" to emphasize that requirement doesn't apply to authentication transactions|§6.1.1|
+||Editorial|Replaced out-of-context note at end of section 7.2|§7.2|
+||Editorial|Changed IdP to CSP to match terminology used elsewhere in this document|Table 8-1|
+||Editorial|Corrected capitalization of Side Channel Attack|Table 8-2|
+||Substantive|Changed the title to processing limitation; clarified the language, incorporated privacy objectives language, and specified that consent is explicit|§9.3|
+||Editorial|Added NISTIR 8062 as a reference|§11.1|
+||Editorial|Corrected title of SP 800-63C|§11.3|
+|2020-03-02|Substantive|Clarified wording of verifier impersonation resistance requirement|§4.3.2|
+||Editorial|Emphasized use of key unlocked by additional factor to sign nonce|§5.1.9.1|
+||Editorial|Provided examples of risk-based behavior observations|§5.2.2|
+||Editorial|Removed redundant phrase|§5.2.3|
+||Editorial|Updated URL for reference [Blacklists]|§11.1|

sp800-63b/references.md

@@ -8,9 +8,9 @@
 
 <a name="balloon"></a>[BALLOON] Boneh, Dan, Corrigan-Gibbs, Henry,  and Stuart Schechter. "Balloon Hashing: A Memory-Hard Function Providing Provable Protection Against Sequential Attacks," *Asiacrypt 2016*, October, 2016. Available at: <https://eprint.iacr.org/2016/027>.
 
-<a name="blacklists"></a>[Blacklists] Habib, Hana, Jessica Colnago, William Melicher, Blase Ur, Sean Segreti, Lujo Bauer, Nicolas Christin, and Lorrie Cranor. "Password Creation in the Presence of Blacklists," 2017. Available at: <https://www.internetsociety.org/sites/default/files/usec2017_01_3_Habib_paper.pdf>
+<a name="blacklists"></a>[Blacklists] Habib, Hana, Jessica Colnago, William Melicher, Blase Ur, Sean Segreti, Lujo Bauer, Nicolas Christin, and Lorrie Cranor. "Password Creation in the Presence of Blacklists," 2017. Available at: <https://www.ndss-symposium.org/wp-content/uploads/2017/09/usec2017_01_3_Habib_paper.pdf>
 
-<a name="composition"></a>[Composition] Komanduri, Saranga, Richard Shay, Patrick Gage Kelley, Michelle L Mazurek, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, and Serge Egelman. “Of Passwords and People: Measuring the Effect of Password-Composition Policies.” In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2595–2604. ACM, 2011. Available at: <https://www.ece.cmu.edu/~lbauer/papers/2011/chi2011-passwords.pdf>.
+<a name="composition"></a>[Composition] Komanduri, Saranga, Richard Shay, Patrick Gage Kelley, Michelle L Mazurek, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, and Serge Egelman. "Of Passwords and People: Measuring the Effect of Password-Composition Policies." In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2595–2604. ACM, 2011. Available at: <https://www.ece.cmu.edu/~lbauer/papers/2011/chi2011-passwords.pdf>.
 
 <a name="E-Gov"></a>[E-Gov] *E-Government Act* \[includes FISMA] (P.L. 107-347), December 2002, available at: <http://www.gpo.gov/fdsys/pkg/PLAW-107publ347/pdf/PLAW-107publ347.pdf>.
 
@@ -38,13 +38,13 @@
 
 <a name="PrivacyAct"></a>[Privacy Act] *Privacy Act of 1974* (P.L. 93-579), December 1974, available at: <https://www.justice.gov/opcl/privacy-act-1974>.
 
-<a name="policies"></a>[Policies] Weir, Matt, Sudhir Aggarwal, Michael Collins, and Henry Stern. "Testing Metrics for Password Creation Policies by Attacking Large Sets of Revealed Passwords." In Proceedings of the 17th ACM Conference on Computer and Communications Security, 162–175. CCS ’10. New York, NY, USA: ACM, 2010. doi:10.1145/1866307.1866327.
+<a name="policies"></a>[Policies] Weir, Matt, Sudhir Aggarwal, Michael Collins, and Henry Stern. "Testing Metrics for Password Creation Policies by Attacking Large Sets of Revealed Passwords." In Proceedings of the 17th ACM Conference on Computer and Communications Security, 162–175. CCS '10. New York, NY, USA: ACM, 2010. doi:10.1145/1866307.1866327.
 
 <a name="Section508"></a>[Section 508] Section 508 Law and Related Laws and Policies (January 30, 2017), available at: <https://www.section508.gov/content/learn/laws-and-policies>.
 
 <a name="shannon"></a>[Shannon] Shannon, Claude E. "A Mathematical Theory of Communication," *Bell System Technical Journal*, v. 27, pp. 379-423, 623-656, July, October, 1948.
 
-<a name="strength"></a>[Strength] Kelley, Patrick Gage, Saranga Komanduri, Michelle L Mazurek, Richard Shay, Timothy Vidas, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, and Julio Lopez. “Guess Again (and Again and Again): Measuring Password Strength by Simulating Password-Cracking Algorithms.” In Security and Privacy (SP), 2012 IEEE Symposium On, 523–537. IEEE, 2012. Available at: <http://ieeexplore.ieee.org/iel5/6233637/6234400/06234434.pdf>.
+<a name="strength"></a>[Strength] Kelley, Patrick Gage, Saranga Komanduri, Michelle L Mazurek, Richard Shay, Timothy Vidas, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, and Julio Lopez. "Guess Again (and Again and Again): Measuring Password Strength by Simulating Password-Cracking Algorithms." In Security and Privacy (SP), 2012 IEEE Symposium On, 523–537. IEEE, 2012. Available at: <http://ieeexplore.ieee.org/iel5/6233637/6234400/06234434.pdf>.
 
 
 ### 11.2 Standards