Merge pull request #503 from usnistgov/pgrassi-nist-patch-2

Update cover.md
usnistgov · Jan 30, 2017 · 5ccbf47 · 5ccbf47
2 parents f0ab88e + 3e2a7c2
commit 5ccbf47
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/sp800-63-3/cover.md b/sp800-63-3/cover.md
@@ -207,7 +207,7 @@ The terms "CAN" and "CANNOT" indicate a possibility and capability, whether mate
 
 ## Executive Summary
 
-Digital identity is the online persona of a subject, and a single definition is widely debated internationally. The term persona is apropos as a subject can represent themselves online in many ways. An individual may have a digital identity for email, and another one for personal finances.  A personal laptop can be someone's streaming music server yet also be a worker-bot in a distributed network of computers performing complex genome calculations.  Without context, it is difficult to land on a single definition that satisfies all.  Digital identity as a legal identity further complicates the definition and ability to use digital identities across a range of social and economic use cases.  Digital identity is hard.  Proving someone is who they say they are, remotely, via a digital service, is fraught with vulnerabilities of impersonation.  After proving yourself, repeatedly proving it is you logging in is just as complicated and vulnerable as the original claim and proof of identity.  As correctly captured by [Peter Steiner in The New Yorker](#steiner), "On the internet, no one knows you're a dog". These guidelines provide mitigations to the vulnerabilities inherent online, while recognizing and encouraging that when accessing some, low-risk digital services, 'being a dog' is just fine, while other high-risk services need a level of confidence that the digital identity accessing the service is the legitimate proxy to the real life subject.  
+Digital identity is the online persona of a subject, and a single definition is widely debated internationally. The term persona is apropos as a subject can represent themselves online in many ways. An individual may have a digital identity for email, and another one for personal finances.  A personal laptop can be someone's streaming music server yet also be a worker-bot in a distributed network of computers performing complex genome calculations.  Without context, it is difficult to land on a single definition that satisfies all.  Digital identity as a legal identity further complicates the definition and ability to use digital identities across a range of social and economic use cases.  Digital identity is hard.  Proving someone is who they say they are, remotely, via a digital service, is fraught with vulnerabilities of impersonation.  After proving yourself, repeatedly proving it is you logging in is just as complicated and vulnerable as the original claim and proof of identity.  As correctly captured by [Peter Steiner in The New Yorker](#steiner), "On the internet, nobody knows you're a dog." These guidelines provide mitigations to the vulnerabilities inherent online, while recognizing and encouraging that when accessing some, low-risk digital services, 'being a dog' is just fine, while other high-risk services need a level of confidence that the digital identity accessing the service is the legitimate proxy to the real life subject.  
 
 For these guidelines, digital identity is the unique representation of a subject engaged in an online transaction. A digital identity is always unique in the context of a digital service, but does not necessarily need to uniquely identify the subject. In other words, accessing a digital service may not mean that the physical representation of the underlying subject is known. Identity proofing establishes that a subject is actually who they claim to be. Digital authentication establishes that a subject attempting to access a digital service is in control of one or more valid authenticators associated with that subject's digital identity. For services in which return visits are applicable, successfully authenticating provides reasonable risk-based assurances that the subject that is accessing the service today is the same as that which accessed the service yesterday. Digital identity presents a technical challenge because this process often involves the proofing of individuals over an open network, and always involves the authentication of individual subjects over an open network to access digital government services. The processes and technologies to establish and use digital identities offer multiple opportunities for impersonation and other attacks.