Credential service provider

A credential service provider (CSP) is a trusted entity that issues security tokens or electronic credentials to subscribers.[1] A CSP forms part of an authentication system, most typically identified as a separate entity in a Federated authentication system. A CSP may be an independent third party, or may issue credentials for its own use.[1] The term CSP is used frequently in the context of the US government's eGov and e-authentication initiatives. An example of a CSP would be an online site whose primary purpose may be, for example, internet banking - but whose users may be subsequently authenticated to other sites, applications or services without further action on their part.

History

edit

In any authentication system, some entity is required to authenticate the user on behalf of the target application or service. For many years there was poor understanding of the impact of security and the multiplicity of services and applications that would ultimately require authentication. The result of this is that not only are users burdened with many credentials that they must remember or carry around with them, but also applications and services must perform some level of registration and then some level of authentication of those users. As a result, Credential Service Providers were created. A CSP separates those functions from the application or service and typically provides trust to that application or service over a network (such as the Internet).

CSP Process

edit

The CSP establishes a mechanism to uniquely identify each subscriber and the associated tokens and credentials issued to that subscriber. The CSP registers or gives the subscriber a token to be used in an authentication protocol and issues credentials as needed to bind that token to the identity, or to bind the identity to some other useful verified attribute. The subscriber may be given electronic credentials to go with the token at the time of registration, or credentials may be generated later as needed. Subscribers have a duty to maintain control of their tokens and comply with the responsibilities to the CSP. The CSP maintains registration records for each subscriber to allow recovery of registration records.[1]

In an e-authentication model, a claimant in an authentication protocol is a subscriber to some CSP. At some point, an applicant registers with a Registration Authority (RA), which verifies the identity of the applicant, typically through the presentation of paper credentials and by records in databases. This process is called identity proofing. The RA, in turn, vouches for the identity of the applicant (and possibly other verified attributes) to a CSP. The applicant then becomes a subscriber of the CSP. The CSP establishes a mechanism to uniquely identify each subscriber and the associated tokens and credentials issued to that subscriber. There is always a relationship between the RA and CSP.[1]

Importance

edit

CSPs can establish confidence of a user identity through an electronic authentication process. As a result, some regulatory agencies can ask individuals to prove their identities through a CSP. Today, regulatory agencies require physicians to be authenticated electronically before physicians can issue any prescription for controlled dangerous substances (CDS). Physicians have to seek for federally approved CSPs in order to receive a two-factor authentication credential or digital certificates.[2] The CSPs conduct identity proofing that meets National Institute of Standards and Technology Special Publication 800-63-1 Assurance Level 3.[2]

CSP and the US Government

edit

The federal government is currently the CSP for e-government transactions. However, the government plans to focus all their attention in the applications and leave the credential management business to other industries.[3]

In 2004, the US government proposed an E-authentication initiative. The goals of the initiative include:

  • Build and enable mutual trust needed to support widespread use of electronic interactions between the public and the US Government.
  • Minimize the burden on the public when obtaining trusted electronic services from the government.
  • Deliver common interoperable authentication solutions, appropriately matching the levels of risk and business risks.[3]

As a result of this initiative, campuses may start offering to student, faculty and staff access to certain federal applications.[4] However, before this happens, the government will impose the following requirements:[5]

FedFed Membership requirements for levels 1 & 2

edit
  • Credential Assessment
  • Signing Business and Operating Rules
  • Technical Interoperability at SAML 1.0

FedFed Membership requirements for levels 3 & 4

edit
  • Cross-certification with Federal PKI

Service Provider Requirements to Join Federal Federation Directly

edit

Those services provide wishing to join the Federal Federation Directly will have to agree with:

  • eAuthentication Business and Operating rules in
    • Risk Analysis
    • Service levels
    • Security levels″
    • Compliance with FIPS and NIST SPs
    • Reporting requirements
  • Procedural, audit and documentation requirements.

Providers

edit

Below is a short list of some CSPs with a short description of the services they provide.

Equifax

edit

Equifax provides credentialing solutions certified that meet Federal security and privacy requirements. Equifax offers beyond basic name and address identification credential. Equifax provides methods of discerning an electronic identity in order to ensure that only trusted users have access to sensitive data and secure networks.[6]

MediQuin

edit

MediQuin is a credential service provider located in Irvine, California. MediQuin provides Medical Credentialing, provider applications, enrollment forms, verification services, and other medical related credential services.[7]

Med Advantage

edit

Med Advantage provide numerous verification services.[8]

  • Board Certification - Verify Current certificate level
  • Criminal Background - Verify State and/or Federal Criminal History
  • DEA/CDS Registration - Verify by NTIS and/or by certificate
  • Education - Verify Medical Education & Post graduate Education
  • FSMB - Query The Federation of State Medical Boards
  • License- Verify State license(s)
  • Malpractice Claims - Verify from the carrier
  • Malpractice Insurance - Verify from the Carrier or Certificate
  • NPDB - Query The National Practitioner Databank
  • HIPDB - Query The Healthcare Integrity and Protection Databank
  • Privileges - Verify Hospital admitting Privileges and Delineation of Privileges
  • References - Verify Professional references
  • Sanctions - Query Medicare/Medicaid and State License
  • Work History - Extract Work History from the Curriculum Vitae

Costs

edit

Below is a table that shows the approximate cost for a Credential Service Provider in different Categories.

Level Educational Institution Non-Profit L0: 1-100 employees L1: 101-1000 employees L2: 10001-25000 employees L3: >25000 employees
Credential Service Provider Subscriber $2,000 $2,000 $4,000 $9,000 $16,500 $21,500
Credential Service Provider Renewal $1,000 $1,000 $3,000 $8,000 $15,500 $20,500
Assessor Accreditation Subscriber $1,500 $2,000 $5,000 $11,000 $17,000 $25,000
Assessor Accreditation Renewal $1,000 $1,500 $4,000 $10,000 $16,000 $24,000

[9]

The Kantara Initiative

edit

The Initiative Identity Assurance Accreditation and Approval Program is a Kantara program that tries to use CPS in order to provide to private sectors with better reliable digital credentials.[9]

Windows

edit

Windows uses CSP to implement authentication protocols.[10] With Windows Vista, a new authentication package called Credential Security Service Provider (CredSSP) was introduced. CredSSP uses the client-side CSP to enable applications to delegate user's credentials to the target server.

References

edit
  1. ^ a b c d NIST Special Publication 800-63, Revision 3, Digital Identity Guidelines, Pages.nist.gov, June 2017
  2. ^ a b "Archived copy" (PDF). Archived from the original (PDF) on 2012-10-01. Retrieved 2012-04-27.{{cite web}}: CS1 maint: archived copy as title (link)
  3. ^ a b [1] [dead link]
  4. ^ "E-Authentication Initiative: Federal Single Sign-On | EDUCAUSE". Archived from the original on 2010-08-13. Retrieved 2012-05-21.
  5. ^ "Archived copy". Archived from the original on 2022-04-04. Retrieved 2014-01-07.{{cite web}}: CS1 maint: archived copy as title (link)
  6. ^ "Prevent Fraud - Business - Equifax". Equifax.com. Retrieved 24 February 2019.
  7. ^ "MediQuin.com - Medical Credentialing Service". Mediquin.com. Retrieved 24 February 2019.
  8. ^ "Med-Advantage – Medical Credentialing | Customized Credentialing Services | Credential Verification Services - Credentials". Archived from the original on 2012-05-08. Retrieved 2012-05-07.
  9. ^ a b "Kantara Initiative » Identity Assurance". Archived from the original on 2012-05-03. Retrieved 2012-04-27.
  10. ^ Tara Meyer. "Credential Security Service Provider and SSO for Terminal Services Logon". Docs.microsoft.com. Retrieved 24 February 2019.