Versions Compared

Old Version 5

changes.mady.by.user Former user

Saved on

compared with

New Version 6

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Staff:

Colin Wallis 

Ruth Puente

Agenda

  1. Administration:
    Roll Call
    Agenda Confirmation
    Minutes Approval: 2018-03-01 DRAFT IAWG Minutes
    Action Item Review: action item list
    Organization Updates - Director's Corner
    Staff reports and updates
    LC reports and updates
    Call for Tweet-worthy items to feed (@KantaraNews or #kantara)
  2. Discussion

a. Update on recent IAF changes and publications.

b. Rework IAF 1000 - Overview and IAF 1100 - Glossary.

c. NIST 800-63-3 implementation guidance.

d. 63A SAC and 63B SAC assessment issues.

e. OMB Policy Draft – Call for comments

Quorum


Quorum 

There was not quorum (5 voting participants out of 8)

...

Rework IAF 1000 - Overview and IAF 1100 - Glossary

  • Ken D. is preparing a strawman straw man to proceed with the revision of the Overview and Glossary documents, which are out of date. 


NIST 800-63-3 Implementation Guidance and 63A SAC and 63B SAC assessment issues

  • Scott S.said that the implementation guidance is an inspirational thing, what can we use to try to add some light and understanding to 63-3, we hope to make it open and transparent enough, assessor across and between TFPs. 
  • Colin W. commented that NIST has shared a spreadsheet with 63A identity evidence list, evaluation for different types of identity documents and they seek the TFS Stakeholders feedback, it is not ready for public consumption.  
  • Scott S. added that KUMA has competed an assessment on 800-63-3 and identified 2 gaps in the requirements: 
    a) Authoritative Source. There is a Table 'Validation of the evidence' that states strong evidence must be validated strongly, and the evidence should be checked against an authoritative source. Authoritative sources must be either the issuer or have access to the issuer’s data.  Driver´s license case: It´s not commercially viable to validate driver licenses from 50 states. In the Passport case, it´s no communicating with the Department of State to verify it. AAMVA validation of DMV data is only partial, including the textual data but not the photograph.
    b) 63A Table 5-3 makes a clear distinction that biometrics is one thing and photograph verification is another thing. But the same requirements apply to authenticate the “sensor” (i.e. camera) or an endpoint containing the sensor (i.e. smartphone/laptop). When the applicant is the owner of the device, the IdP doesn’t have a way to authenticate the device.

When you ask the applicant to apply with their own hardware (camera), there is no way to authenticate the hardware. Trusted path for the collection of the photograph. Camera become must be authenticated by the service that is doing the id proofing. If you are relying on people that they purchased though other means, there is no way to authenticate those users and those phones.