Versions Compared

Old Version 8

changes.mady.by.user Lynzie Adams

Saved on

compared with

New Version 9

changes.mady.by.user Lynzie Adams

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

In any conformity assessment program, you have to make decisions around what the scope is going to be for the different programs. In terms of performing an assessment, it doesn’t matter if it is a CSP or an RP. There is a set of requirements that are assessed and either they are being met – or not. The problem potentially with RPs is that if it’s a large community, how long will it take? How complex does that make it? How does one even manage the logistics? Do we end up with RPs entering into separate agreements? Or a blanket agreement? None of this is really NIST’s responsibility to answer but they will be the principal consideration when Kantara moves forward.

Final note on federation from NIST:

There is also SP 800-217 (Draft) Guidelines for Personal Identity Verification (PIV) Federation out for public comment right now which is federation in the context of PIV - particularly driven PIV. NIST is also soliciting comments on that. It might be useful to look at in terms of a use case to which 63c applies.

Equity & Risk

Is it correct in saying, from an equity perspective, that if a RP that requires all applicants to have a picture ID, that would be acceptable under the current rev.4?  

...

NIST is trying to take a practical and pragmatic approach. They know differences in performance within different groups are likely to happen. They are nearly impossible to eliminate. They’re asking agencies & organizations to actively evaluate, understand, assess and mitigate to the greatest degree possible those issues when they are identified. Previously people played by set it and forget it – and if a population couldn’t get through it was unlikely to even be identified because orgs weren’t going out of their way to do the assessment and determine those impacts and offer alternative pathways or mechanisms for id proofing (trusted referees). Making sure there are options presented to the user that still fit within the risk posture of orgs and entities doing the access management.

...

Are there any particular risks that an applicant’s reference takes on when they act as a reference for some other applicant – pertaining to the new concept of an applicant reference in 63a?

...