Attribute Metadata

Grassi, Paul; Nadeau, Ellen; Galluzzo, Ryan; Dinh, Abhiraj

July 19, 2023: URLs for CSRC publication details pages have changed. Legacy URLs should automatically redirect to the new URLs. However, links to the actual publications have NOT changed (e.g., DOIs and PDFs on nvlpubs.nist.gov). Please send inquiries to csrc-inquiry@nist.gov.

NIST IR 8112 (Initial Public Draft)

Further development of this draft has ceased (January 12, 2018).

Attribute Metadata

Documentation Topics

Date Published: August 2016
Comments Due: September 30, 2016 (public comment period is CLOSED)
Email Questions to: nsticworkshop@nist.gov

Author(s)

Paul Grassi (NIST), Ellen Nadeau (NIST), Ryan Galluzzo (Deloitte & Touche), Abhiraj Dinh (Deloitte & Touche)

Announcement

NIST invites comments on Draft NIST Internal Report (NISTIR) 8112, Attribute Metadata. This report proposes a schema intended to convey information about a subject's attribute(s) to allow for a relying party (RP) to:

Obtain greater understanding of how the attribute and its value were obtained, determined, and vetted;
Have greater confidence in applying appropriate authorization decisions to subjects external to the domain of a protected system or data;
Develop more granular access control policies;
Make more effective authorization decisions; and
Promote federation of attributes.

The schema can be used by relying parties to enrich access control policies, as well as during runtime evaluation of an individual's ability to access protected resources. We opted to publish this document as a NISTIR in an effort to treat it as an implementers' draft, an approach common in the development lifecycle of many private sector standards and specifications. This allows the developer and policy community, in both the public and private sectors, to apply some or all of the metadata in this NISTIR on a volunteer basis, and provide us with practical feedback gained through implementation experience. As such, we will be maintaining the public issues page beyond the initial 60-day period to continually receive input and iteratively improve the document in anticipation of a second revision.

Submitting Comments

Commenters are STRONGLY encouraged to publicly collaborate with the team and other participants via the GitHub pages for NISTIR 8112. We have posted details on how to submit comments on GitHub. Additionally, we are providing a PDF for offline reading, as well as a traditional comment matrix for those that prefer this approach.

All comments, regardless of how they are provided to NIST, will be made public as a GitHub "issue."

Abstract

This NIST Internal Report contains a metadata schema for attributes that may be asserted about an individual during an online transaction. The schema can be used by relying parties to enrich access control policies, as well as during runtime evaluation of an individual’s ability to access protected resources, and for an individual’s. Attribute metadata could also create the possibility for data sharing permissions and limitations on individual data elements. There are other possible applications of attribute metadata, such as evaluation and execution of business logic in decision support systems; however the metadata contained herein is focused on supporting an organization’s risk-informed authorization policies and evaluation.

Keywords

assertions; attributes; attribute metadata; attribute values; attribute value metadata; authorization; federation; identity; identity federation; information security; metadata; privacy; risk; risk management; security; access control; trust

Control Families

Access Control; Identification and Authentication

Documentation

Publication:
Draft NISTIR 8112 (HTML on GitHub)

Supplemental Material:
How to Submit Comments (GitHub)
Draft NISTIR 8112 (PDF) (pdf)
Comment Template (xlsx)
Submitted issues (GitHub)

Related NIST Publications:
SP 800-162

Document History:
08/01/16: IR 8112 (Draft)

Topics

Security and Privacy

authentication