Credential service provider explained

A credential service provider (CSP) is a trusted entity that issues security tokens or electronic credentials to subscribers.[1] A CSP forms part of an authentication system, most typically identified as a separate entity in a Federated authentication system. A CSP may be an independent third party, or may issue credentials for its own use.[1] The term CSP is used frequently in the context of the US government's eGov and e-authentication initiatives. An example of a CSP would be an online site whose primary purpose may be, for example, internet banking - but whose users may be subsequently authenticated to other sites, applications or services without further action on their part.

History

In any authentication system, some entity is required to authenticate the user on behalf of the target application or service. For many years there was poor understanding of the impact of security and the multiplicity of services and applications that would ultimately require authentication. The result of this is that not only are users burdened with many credentials that they must remember or carry around with them, but also applications and services must perform some level of registration and then some level of authentication of those users. As a result, Credential Service Providers were created. A CSP separates those functions from the application or service and typically provides trust to that application or service over a network (such as the Internet).

CSP Process

The CSP establishes a mechanism to uniquely identify each subscriber and the associated tokens and credentials issued to that subscriber. The CSP registers or gives the subscriber a token to be used in an authentication protocol and issues credentials as needed to bind that token to the identity, or to bind the identity to some other useful verified attribute. The subscriber may be given electronic credentials to go with the token at the time of registration, or credentials may be generated later as needed. Subscribers have a duty to maintain control of their tokens and comply with the responsibilities to the CSP. The CSP maintains registration records for each subscriber to allow recovery of registration records.[1]

In an e-authentication model, a claimant in an authentication protocol is a subscriber to some CSP. At some point, an applicant registers with a Registration Authority (RA), which verifies the identity of the applicant, typically through the presentation of paper credentials and by records in databases. This process is called identity proofing. The RA, in turn, vouches for the identity of the applicant (and possibly other verified attributes) to a CSP. The applicant then becomes a subscriber of the CSP. The CSP establishes a mechanism to uniquely identify each subscriber and the associated tokens and credentials issued to that subscriber. There is always a relationship between the RA and CSP.[1]

Importance

CSPs can establish confidence of a user identity through an electronic authentication process. As a result, some regulatory agencies can ask individuals to prove their identities through a CSP. Today, regulatory agencies require physicians to be authenticated electronically before physicians can issue any prescription for controlled dangerous substances (CDS). Physicians have to seek for federally approved CSPs in order to receive a two-factor authentication credential or digital certificates.[2] The CSPs conduct identity proofing that meets National Institute of Standards and Technology Special Publication 800-63-1 Assurance Level 3.[2]

CSP and the US Government

The federal government is currently the CSP for e-government transactions. However, the government plans to focus all their attention in the applications and leave the credential management business to other industries.[3]

In 2004, the US government proposed an E-authentication initiative. The goals of the initiative include:

As a result of this initiative, campuses may start offering to student, faculty and staff access to certain federal applications.[4] However, before this happens, the government will impose the following requirements:[5]

FedFed Membership requirements for levels 1 & 2

FedFed Membership requirements for levels 3 & 4

Service Provider Requirements to Join Federal Federation Directly

Those services provide wishing to join the Federal Federation Directly will have to agree with:

Providers

Below is a short list of some CSPs with a short description of the services they provide.

Equifax

Equifax provides credentialing solutions certified that meet Federal security and privacy requirements. Equifax offers beyond basic name and address identification credential. Equifax provides methods of discerning an electronic identity in order to ensure that only trusted users have access to sensitive data and secure networks.[6]

MediQuin

MediQuin is a credential service provider located in Irvine, California. MediQuin provides Medical Credentialing, provider applications, enrollment forms, verification services, and other medical related credential services.[7]

Med Advantage

Med Advantage provide numerous verification services.[8]

Costs

Below is a table that shows the approximate cost for a Credential Service Provider in different Categories.

LevelEducational InstitutionNon-ProfitL0: 1-100 employeesL1: 101-1000 employeesL2: 10001-25000 employeesL3: >25000 employees
Credential Service Provider Subscriber$2,000$2,000$4,000$9,000$16,500$21,500
Credential Service Provider Renewal$1,000$1,000 $3,000 $8,000 $15,500 $20,500
Assessor Accreditation Subscriber $1,500 $2,000 $5,000 $11,000 $17,000 $25,000
Assessor Accreditation Renewal $1,000 $1,500 $4,000 $10,000 $16,000 $24,000
[9]

The Kantara Initiative

The Initiative Identity Assurance Accreditation and Approval Program is a Kantara program that tries to use CPS in order to provide to private sectors with better reliable digital credentials.[9]

Windows

Windows uses CSP to implement authentication protocols.[10] With Windows Vista, a new authentication package called Credential Security Service Provider (CredSSP) was introduced. CredSSP uses the client-side CSP to enable applications to delegate user's credentials to the target server.

Notes and References

  1. https://pages.nist.gov/800-63-3/ NIST Special Publication 800-63, Revision 3, Digital Identity Guidelines
  2. Web site: Archived copy . 2012-04-27 . dead . https://web.archive.org/web/20121001183643/https://www.ok.gov/OSBP/documents/CDS%20electronic%20prescriptions.pdf . 2012-10-01 .
  3. http://net.educause.edu/ir/library/powerpoint/CSD3611.pps
  4. Web site: E-Authentication Initiative: Federal Single Sign-On | EDUCAUSE . 2012-05-21 . https://web.archive.org/web/20100813124357/http://www.educause.edu/Resources/EAuthenticationInitiativeFeder/154920 . 2010-08-13 . dead .
  5. Web site: Archived copy . 2014-01-07 . 2022-04-04 . https://web.archive.org/web/20220404170443/https://www.educause.edu/ir/library/powerpoint/EAF0611.pps . dead .
  6. Web site: Prevent Fraud - Business - Equifax. Equifax.com. 24 February 2019.
  7. Web site: MediQuin.com - Medical Credentialing Service. Mediquin.com. 24 February 2019.
  8. Web site: Med-Advantage – Medical Credentialing | Customized Credentialing Services | Credential Verification Services - Credentials . 2012-05-07 . dead . https://web.archive.org/web/20120508120536/http://www.med-advantage.com/Credential.aspx . 2012-05-08 .
  9. Web site: Kantara Initiative » Identity Assurance . 2012-04-27 . dead . https://web.archive.org/web/20120503064831/http://kantarainitiative.org/wordpress/programs/assurance/ . 2012-05-03 .
  10. Web site: Credential Security Service Provider and SSO for Terminal Services Logon. Tara Meyer. Docs.microsoft.com. 24 February 2019.