...
- Comments on IAL1 update #1, https://github.com/usnistgov/800-63-4/issues/1:
- Eric commented that it seems that the opportunity is to create an interim level, self-attestation and at least fair evidence verification and validation. Moreover, he said that it raises the question about the risk matrix low-moderate-high impact. Furthermore, he stressed that there are no definitions or guidelines for fraud or financial impact. It's very open and generic, so it would be worth to develop guidelines around what insignificant or inconsequential means versions serious to help agencies determine whether or not it's low or moderate. It was clarified that the risk is responsibility of the RP.
- It was added that Federal Agencies were looking for an Enhanced IAL1.
Ken added that the Canadian solution that is in place right now where we do zero data associated with a credential that is issue to a an individual go subject and it's up to the RP once they get that credential and enroll the person in whatever program they want to enroll them in to collect the identity data. That they need to satisfy their risk tolerance. So it is the basically the breaking apart of the login from the identity management.