4. Background

[ Table of Contents ]

4.1 Authentication standards

The NZ e-GIF authentication standards provide detailed guidance for agencies to follow when designing their authentication solutions. In particular, the standards enable agencies to determine the level of identity-related risk for each of their services and to identify appropriate evidence of identity requirements and authentication key technologies (refer to 3.3 of the Evidence of Identity Standard).

Most online services delivered by government agencies are either anonymous (such as when someone downloads a brochure from an agency’s website) or have low levels of identity-related risk (such as when someone changes their address details). Services with low levels of identity-related risk are typically authenticated using minimal levels of evidence of identity requirements and username and passwords for ongoing confirmation of identity.

NOTE – Change of address is a generic example. For some services change of address may have a high level of identity-related risk .

To meet the Networked State Services Development Goal agencies will need to provide online services that have higher levels of identity-related risk. This will require the implementation of authentication solutions with more rigorous evidence of identity requirements and higher strength authentication keys.

Table 1 describes the purpose of each of the authentication standards and documents.

Table 1 – Authentication standards and documents

Guide to Authentication Standards for Online Services

Provides a high-level overview of the NZ e-GIF authentication standards.

Evidence of Identity Standard

Specifies a business process for establishing the identity of government agency customers. Applies to offline as well as online services.

Authentication Key Strengths Standards

Specifies the authentication keys to be used for online authentication and protections necessary for the authentication exchange.

Data Formats for Identity Records Standard

Specifies data formats for a set of customer information data elements that government agencies may use in customer identity records.

Password Standard

Specifies requirements for passwords used for online authentication.

Other authentication key standards (to be developed) *

Specify the requirements for two-factor authentication keys used for online authentication.

New Zealand Security Assertion Messaging Standard v1.0

Specifies messaging standards for communicating authentication assertions.

Guidance on Multi-factor Authentication

Provides an overview of multi-factor authentication. May be superseded once other authentication key standards are developed. Not a NZ e-GIF standard.

Security Assertion Messaging Framework

Provides a general introduction to security assertion messaging. Not a NZ e-GIF standard.

4.2 All-of-government authentication services

As well as supporting the implementation of individual agency authentication solutions, the authentication standards will also support the all-of-government authentication services – the Government Logon Service (GLS) and the Identity Verification Service (IVS). These shared services will allow agencies to devolve the management of the authentication component of online services.

The GLS is a website that will allow people to access government online services more conveniently by using a single authentication key, such as a username and password. The IVS will allow people to establish their identity a single time so that they do not have to establish their identity separately with each agency they transact with. The GLS is currently being built and the IVS is in the design stage. See 2.5 for definitions of GLS and IVS.

Agencies will interact with these shared services as follows:

• Registration – evidence of identity is established (IVS) and an authentication key is associated with the customer (GLS)
  
• First-time service – agencies verify identity for the customer’s first access (GLS and IVS) and link identity data and authentication key details. Agencies may also link a range of service-specific data
  
• Repeat service – agencies confirm the identity of customers for ongoing access (GLS).

These interactions are shown in Figure 1 (State Services Commission 2005b).

Figure 1 – Outline of interactions with all-of-government authentication services

Where agencies adopt one or more of these shared services, they must adopt the standards relating to the functions of those services. In some cases, adopting the service automatically adopts and implements the relevant standards. For example, if an agency adopts the GLS, all passwords provided by this service will comply with the Password Standard. The agency would, however, still need to assess its requirements for evidence of identity processes and appropriate key strengths, using the relevant authentication standards.

Agencies not using the shared services will have to comply with all of the authentication standards.

NOTE – The Data Formats for Identity Records Standard will be used by the proposed IVS to store and exchange identity-related data.

4.3 Party information data interchange standards

Standards that represent identity-related data elements, such as customer names, are used to support data exchange or messaging. Such standards provide industry-developed schemas that uniformly represent customer information and structure transactions or messages into an XML file.

The feasibility of adopting an industry-developed party information standard to represent those identity-related data elements commonly used by New Zealand public sector agencies has been considered in developing this Standard.

The party information standard selected is the OASIS CIQ Specifications 3.0. CIQ v3.0 (OASIS 2008) defines a set of specifications and XML schema to represent several types of party-centric information, including name and address. After successful implementation, CIQ v3.0 is planned to replace the existing OASIS CIQ Specifications v2.0 later in 2008.

CIQ v3.0 comprises eXtensible Name and Address Language (xNAL), eXtensible Party Information Language (xPIL) and eXtensible Party Relationship Language (xPRL). The xNAL Specification itself comprises eXtensible Name Language (xNL), and eXtensible Address Language (xAL) (see Figure 2). The xPRL Specification is not used in the Data Formats for Identity Records Standard.

CIQ v3.0 has been designed and created following the experience gained from implementing earlier versions of OASIS CIQ standards, most notably xCIL v2.0. As a result, the overall XML schema structures are less hierarchical and include an enumeration strategy that allows complex elements to be represented by generic elements modified by ‘metadata tag’ values specific to each implementation. Consequently, CIQ v3.0 is cleaner and easier for developers to implement than its predecessors.

Figure 2 – CIQ v3.0 Specifications