Service provider authentication assurance

The concept of authentication assurance traditionally refers to the robustness of methods and mechanisms for user authentication, including the robustness of initial registration and provisioning of user credentials, as well as the robustness of mechanisms that enforce user authentication during operation. However, the user is not the only party that needs to be authenticated to ensure security of online transactions. In fact, online service provision always involves two parties, typically the user on the client side and the service provider on the server side, so that mutual authentication between the two sides is required. In contrast to the unilateral focus on user authentication by industry and academia, it is in fact equally important for the user to correctly authenticate the service provider. Unfortunately, little attention is paid to the problem of correctly authentication the service provider. This paper proposes a framework for server and service provider authentication assurance, similarly to frameworks for user authentication assurance that have already been specified, or are currently under development by many national governments.