...
- Zygma is a co-signer of the memos, recommendations.
- The 3 memos are findings found in the course of recent work that all the signers were involved with.
- First memo is around Guidance on Permitting “Commodity” Hardware for Unsupervised Remote Identity Proofing (“Commodity” word from 800-63-3 FAQ that came our recently).
- Second memo how to select and evaluate Authoritative Sources. Geolocation is presented as an additional barrier against international fraud. No identity proofing method is perfect and compensating controls are not perfect either, Geolocation is easy to assert and hard to prove, but it´s an additional barrier for catching the fraud.
- Third one derived from the other 2, recommendation on additional info for the CSPs in the Trust Status List, using the Public Service Description of the S3A for RPs and other potential consumer of the services to understand what´s involved. SS stressed that the Trust Status should have: the name of the service, contact info, Assurance Levels, authoritative sources and Identity proofing methods that are supported.
- RW pointed out that the last statement of memo 3 is different from memo 2. He added that there are 2 solutions for the recommendation on memo 3, S3A is not the absolute path for the additional information as the CSP does not update that info. He suggested that we should change the CO-SAC criteria to require the service definition or CrP documents be maintained and if there are changes the CSP should notify the RPs. His recommendation include 2 actions: Kantara to include within the Trust Status List a link to the CrP and the public service description that is stated in the S3A.
- JL requested more time to read the memos and make comments before moving to approval.
- Next steps: Get ARB feedback on the 3 memos before sending them to NIST.
...