The NIEF Cryptographic Trust Fabric Management Policy (Section 2.4.2) specifies that the NIEF Trust Fabric will be revised every 30 days or sooner as needed to accommodate updates. The trust fabric signing happens on an offline, air gapped certificate authority as specified within the NIEF Certificate Policy. Due to the ongoing COVID-19 crisis, and a mandate to work from home as much as possible, the use of the air gapped certificate authority system is more difficult. It is still critical that the trust fabric expire within some amount of time and that it be regenerated and republished prior to expiration, but to accommodate the working conditions of the COVID-19 crisis, we are relaxing the requirement within Section 2.4.2 and currently extending the period to 60 days, this may be extended further in the coming months if appropriate. Please direct any questions or concerns to help@nief.org.
Category Archives: Security
New NIST 800-63-3 Assurance Level Attributes
As you may know, NIST recently published a new version of the NIST SP 800-63 specification. To better align with the new levels of assurance that this updated specification defines, NIEF has defined three new assurance level attributes within the NIEF Attribute Registry as a new Assurance Level Attribute Bundle. NIEF encourages participating Identity Providers to add support for these new attributes. These attributes do not map precisely to the legacy assurance attributes, but many of the same underlying security principles dictate the appropriate levels of assurance. If you have any concerns about what levels of assurance are appropriate for your IDP to assert, feel free to reach out to help@nief.org.
New NIEF Signing Certificate / Key Pair
Reply
The X.509 certificate and key used to sign the NIEF trust fabric has been updated. During the deployment of new trust fabric management tools for FICAM compliance, the old key was deleted, requiring a new key to be created. There is no security risk in trusting the old NIEF certificate, but it will no longer be in use. The new NIEF certificate is available for download from the NIEF Trust Fabric page. All NIEF members should update their SAML systems to trust the new certificate.
Please contact help@gfipm.net if you have any concerns or need any assistance in updating your SAML systems.
Migration to SHA-256
In accordance with NIST SP 800-131A, NIEF will be migrating away from the use of SHA-1 by the end of 2013. The NIEF trust fabric will no longer be published using SHA-1 digital signatures and members of NIEF will be validated to insure their SAML operations are using SHA-256 as their onboarding is updated for FICAM compliance.
Please direct any questions or concerns to help@gfipm.net.