I've always thought of this as having to do with the fact that part of the validation process should involve crypto modules (hash algorithms as an example).  This would make sense to require them at FIPS Level 1.

This should extend to more than the CSP as well, and would affect any RP that needs to validate a credential directly.



Bryan Rosensteel
Ping Identity- US Federal CTO

On Tue, Apr 9, 2024, 10:19 PM John Bradley <ve7jtb@ve7jtb.com> wrote:
My understanding is that the cryptographic modules that are validating the signatures need to be FIPS level 1 certified.   The authenticators for AAL3 would need to be FIPS-140 level 2 physical 3 certified.   There is a FIPS authenticator requirement at AAL2 as well but it is L1 physical 3 I think.  It is in SP-800-63.

John B.

On Apr 6, 2024, at 5:30 AM, Jimmy Jung <jimmy.jung@slandala.com> wrote:

We have mostly avoided the federal agency/FIPS 140 criteria, but I was looking at 63B#0120, which is taken word for word from 800-63B and requires “verifiers to meet FIPS 140 Level 1 or higher.”    
“Verifiers” refers to an organization, typically the CSP – specifically, 63 defines it as “an entity that verifies the claimant’s identity by verifying the claimant’s possession and control of one or two authenticators using an authentication protocol. To do this, the verifier may also need to validate credentials that link the authenticator(s) to the subscriber’s identifier and check their status.”
But FIPS 140 is Security Requirements for devices, specifically Cryptography and Cryptographic Modules.  So, I can’t figure out what they want here.
 63B#0120
 
 
Federal agencies SHALL only operate verifiers which have been validated as meeting FIPS 140 Level 1 or higher.
 (possibly that cryptographic authenticators should meet FIPS 140 – but that would appear to conflict with other criteria and guidance?)
 
Jimmy
 
 
_______________________________________________
A Community Group mailing list of KantaraInitiative.org
WG-IDAssurance mailing list -- wg-idassurance@kantarainitiative.org
To unsubscribe send an email to staff@kantarainitiative.org
List archives --  https://mailman.kantarainitiative.org/hyperkitty/list/wg-idassurance@kantarainitiative.org/
______
Group wiki -- https://kantara.atlassian.net/wiki/spaces/WG-IDAssurance

_______________________________________________
A Community Group mailing list of KantaraInitiative.org
WG-IDAssurance mailing list -- wg-idassurance@kantarainitiative.org
To unsubscribe send an email to staff@kantarainitiative.org
List archives --  https://mailman.kantarainitiative.org/hyperkitty/list/wg-idassurance@kantarainitiative.org/
______
Group wiki -- https://kantara.atlassian.net/wiki/spaces/WG-IDAssurance


CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.