...

NIST doesn’t apply any risks to the applicant reference in the documentation. It is fair question and something that NIST needs to think about as far as how the role of the applicant reference is conveyed to the applicant reference. (i.e. If you vouch for this person, but this person turns around and commits fraud, you may be contacted.) It’s a valid point to make sure that within that section NIST illuminates that if there is a risk to the applicant reference, it is at least conveyed to them. What that risk is is dependent on the application, the transaction, etc. from a legal perspective which would be slightly beyond what could go in the guidance itself.

63A

In 63a rev.4 we see IAL1 and IAL2 both calling for one FAIR piece of evidence and one STRONG piece of evidence. Then verification is the differentiator. What was the thinking around having the evidentiary requirements the same but the verification different between IAL1 and IAL2?

The evidence requirements for IAL1 and IAL2 allow for a presentation of the STRONG piece of evidence with one piece of FAIR evidence, which present requirements for an additive control at both levels that make it more difficult for an attacker to be able to subvert the id proofing process. NIST recognizes that in 63a that the concept of core attributes that are required for id proofing that need to be validated so that the id proofing process represents the additive value of evidence presentation along with core attributes validation in order to get to the point where id verification combined that evidence as well as attributes to the real life person in the application and id proofing process.