...
- Comments on IAL1 update #1, https://github.com/usnistgov/800-63-4/issues/1:
- Eric commented that it seems that the opportunity is to create an interim level, self-attestation and at least fair evidence verification and validation. Moreover, he said that it raises the question about the risk matrix low-moderate-high impact. Furthermore, he stressed that there are no definitions or guidelines for fraud or financial impact. It's very open and generic, so it would be worth to develop guidelines around what insignificant or inconsequential means versions serious to help agencies determine whether or not it's low or moderate. It was He clarified that the risk guidance guidelines around fraud and financial impact is responsibility of the RP.
- It was added that Federal Agencies were looking for an Enhanced IAL1.
Ken added that mentioned the Canadian solution that is in place right now where we , which they do zero data associated with a credential that is issue issued to a an individual go subject and it's up to the RP to collect the identity data, once they get that credential and enroll enrol the person in whatever program they want to enroll them in to collect the identity data. That they need to satisfy their risk tolerance. So, it is the basically the breaking apart of the login from the identity management.
...