...
- Comments on IAL1 update #1, https://github.com/usnistgov/800-63-4/issues/1:
- Eric commented that it seems that the opportunity is to create an interim level, self-attestation and at least fair evidence verification and validation. Moreover, he said that it raises the question about the risk matrix low-moderate-high impact. Furthermore, he stressed that there are no definitions or guidelines for fraud or financial impact. It's very open and generic, so it would be worth to develop guidelines around what insignificant or inconsequential means versions serious to help agencies determine whether or not it's low or moderate. He clarified that the risk guidance guidelines around fraud and financial impact is responsibility of the RP.
- Colin added that Federal Agencies were looking for an Enhanced IAL1.
Ken mentioned the Canadian solution, which they do zero data associated with a credential that is issued to a an individual and it's up to the RP to collect the identity data, once they get that credential and enrol the person. That they need to satisfy their risk tolerance. So, it is the basically the breaking apart of the login from the identity management.
- Richard said that Kantara criteria provide consistent definition of what IAL xIAL or xAL "n" mean and then that , so a provider can be assessed to meet the minimum requirements . And in regarding a specific AL. In the case there's a defined meaning to IAL1 or "enhanced IAL1" then the RP can use that to decide which service to take.
...