Versions Compared

Old Version 6

changes.mady.by.user Former user

Saved on

compared with

New Version 7

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Scott S.said that the implementation guidance is an inspirational thing, what we can we use to try to add some light and understanding to 63-3, we hope to make it open and transparent enough, assessor across and between TFPs. 
  • Colin W. commented that NIST has shared a spreadsheet with 63A identity evidence list, evaluation for different types of identity documents and they seek the TFS Stakeholders feedback, it is not ready for public consumption.  
  • Scott S. added that KUMA has competed an assessment on 800-63-3 and identified 2 gaps in the requirements, things that are complex to achieve and potentially impossible
    a) Authoritative Source. There is a Table 'Validation of the evidence' that states strong evidence must be validated strongly, and the evidence should be checked against an authoritative source. Authoritative sources must be either the issuer or have access to the issuer’s data.  Driver´s license case: It´s not commercially viable to validate driver licenses from 50 states. In the Passport case, it´s no communicating with the Department of State to verify it. AAMVA validation of DMV data is only partial, including the textual data but not the photograph.
    b) Authentication of photograph. 63A Table 5-3 makes a clear distinction that biometrics is one thing and photograph verification is another thing. But the same requirements apply to authenticate the “sensor” (i.e. camera) or an endpoint containing the sensor (i.e. smartphone/laptop). When the applicant is the owner of the device, the IdP doesn’t have a way to authenticate the device.

...

  • Jose L added that when you take a selfie you can print the OTP to proof liveness.  
  • Ken said that the implementation guidance should include these 2 issues as well.
  • Scott S. asked if there could be a class of approval IAL2 minus something. 
  • Scott S. explained that if a RP accepts a service less than a full assurance level, they should fill out a digital identity acceptance statement and submit to GSA and the RP accepts the risk. 
  • Ken D. added that in Gov. of Canada, when RPs said L2 token was not good enough, they implemented additional measures to mitigate that risk. That is an approach RPs could use. The RPs could say they are accepting credentials but will add "x" mitigation strategy. He suggested to add this approach as part of the implementation guidance. Also, he recommended to use the eGovernment WG code of conduct in this context.