...

NIST does not specify how any assessing organization or certifying organization requires conformance. NIST deliberately tries to allow for componentization of services that are described across the volumes. By separating the volumes, NIST recognized that they are addressing different components in the overall identity management for an identity service. But, NIST’s purpose was to be able to allow for components to address the requirements however those components are arranged in an overall identity service.

Still the option to permit the scanning of identity evidence or do a live capture. Based on what we are seeing on the fraud/threat landscape, it may make sense to not permit scanning of identity evidence for anything above FAIR because of the threat of replay. Thoughts on that topic?

There is a line that currently exists that mandates the physical validation of fair evidence – which NIST plans to remove. It was intended to be removed to begin with. There is not an expectation for someone to take a picture of their printed-out bank statement, scan it, and send it to someone. That is not what NIST is expecting from a FAIR evidence perspective. Once that line is removed, the concern hopefully disappears.

Beyond FAIR, NIST welcomes comments on that topic. There are current discussions happening about what is live document validation and the capabilities needed to validate live capture of the actual document.

Authenticator Binding

There is binding at enrollment and then post-enrollment binding. Is the description of the boundary of enthrallment in the draft? Is there actually a difference between when you bind during enrollment versus at some later time? Or is it the type of authenticator you are binding to that makes the difference?

...