Which of the following is the best description of the attribute or attributes that can be used to uniquely trace actions to an entity?
A. Claims
B. Identity
C. Accountability
D. Security assertions
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is B. Identity.
An entity, e.g., an individual (person), organization, device, or process, is anyone or anything that has an identity, which is “the set of attribute values (i.e., characteristics) by which an entity is recognizable and that, within the scope of an identity manager’s responsibility, is sufficient to distinguish that entity from any other entity.” (NIST SP 800-161)
Accountability
Accountability relies on identity to uniquely trace actions to an entity. Accountability is “the security goal that generates the requirement for actions of an entity to be traced uniquely to that entity.” (NIST SP 800-12 Rev. 1 )
SAML Assertion and OIDC Claim
The term, assertion, is used in SAML, while “claim” is used in OIDC. A SAML assertion carries three types of statements: authentication, attribute, and authorization. An OIDC claim can be treated as a single attribute statement about a subject; a set of user attributes (or claims) is collectively called a scope.
- An assertion is the “sentence or proposition in logic which is asserted (or assumed) to be true.” (ISO/TS 21526:2019)
- A claim is an “assertion of identity.” (ISO/IEC 24745:2011)
SAML Assertions
An asserting party is a system entity that makes SAML assertions that carry authentication, attribute, and authorization statements. A relying party is a system entity that uses assertions it has received.
For example, a SAML assertion may carry statements about a subject as follows:
- The subject is named “Wentz Wu.”
- The subject has an email address of wentzwu@gmail.com.
- The subject is a member of the “engineering” group.
OIDC Claims
- An OIDC claim can be treated as a statement in the SAML assertion.
- An OIDC scope can be viewed as a SAML assertion.
Reference
- OpenID Connect Scopes
- Key Concepts: Scopes, Claims, and Response Types
- Security Assertion Markup Language
- The Beer Drinker’s Guide to SAM
- OpenID Connect Scopes
- OpenID Connect Core 1.0 incorporating errata set 1
- OpenID Connect Support
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.
以下哪項是對可唯一追蹤到實體的活動的一個或多個屬性的最佳描述?
A. 聲明(Claims)
B. 識別(Identity)
C. 問責(Accountability)
D. 安全斷言(Assertions)