Versions Compared

Old Version 36

changes.mady.by.user Former user

Saved on

compared with

New Version 37

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • NIST List of issues are available at: https://github.com/usnistgov/800-63-4/issues
  • Ken pointed out that the group has until May 15th to provide comments. 
  • Eric commented on Liveness test for remote identity proofing. He pointed out that in the overview of the general guidance they draw a line between identity proofing and fraud mitigation controls. One of the purpose that NIST points out is to prevent a spoofing attack, which is a form of fraud.He stressed that it's important to make a distinction between fraud versus identity proofing. Any further requirements of this move more towards fraud mitigation as opposed to identity proofing. Therefore, if they are mandating fraud mitigation, in essence it requires additional requirements.
  • Richard added that the reason that one performs identity proofing is to have a degree of certainty as to the authenticity of somebody holding or presenting a claim to this particular individual, and that is therefore done with the intent of achieving fraud mitigation. He highlighted that there is a long line between identity proofing and fraud prevention. For the sake of establishing with a sufficient degree of certitude, the veracity of an identity. A liveliness test is not for fraud mitigation per se, it's still a part of a proofing function. Once you've got an identity proven with sufficient confidence, there are fraud mitigation measures which one might then apply which could arise from application of that identity in a transaction. We're only doing this to prevent fraud, because if people didn't commit fraud we wouldn't need to do identity proofing. 

  • Eric suggested that one of the feedback on this issue is to avoid moving from a "should" to a "shall",  to make it a normative requirement, they should keep it as an optional requirement. 

  • Richard said that a liveness test is actually a valuable test to make to gain greater confidence. We could make it only and IAL3 requirement, that's a way of adding strength over and above IAL2 proofing. It is an available tool to stop people wrongfully getting identity credentials.
  • Eric recommended to make it a requirement for IAL3 and keep it as optional. 
  • Eric offered to lead the development of comments.

...