Page Comparison

• Call to order
• GPA reminder
• Roll call
• Agenda bashing
• Organization updates

• Meeting was called to order and the roll was called
• Please ensure that you sign the Group Participation Agreement

• Please review these blogs offline for current status on Kantara and all the DG/WG:

  • 2018: November
  • Work + Discussion Group Activity

Introductions

Welcome!

Discuss the discussion group 

1. 1. Goals, approach, desired outcomes (Charter material)
   2. Terminology page
   3. Use case template page

• Proposed Charter draft
• Notes on ISO terminology
• Use Case style and instructions

Discussion on terminology:

• Comment that "Identity" is a circular reference - 'related to' implies that the 'entity' is already known - there is inconsistency

Discussion on approach to collect material:

• We will run out time if we duplicate effort by having everyone go get essentially identical material from their sources - how to avoid this?
• Suggestion that we quickly post use case titles and maybe abstract to the wiki as a first step, then coordinate if we see obvious duplication
• Andrew is working with Government of Canada to list use cases from their repository - they are actively contributing, just need to sort out details.

• John: 
  • Would like to look at Aadhaar use case - combination of biometric and demographic and central database comparison (reach out to Vishal Gupta from IIW/RWOT participation ; also look at Andrew's ITU-T report on strong authentication use cases)
  • "The RENIEC system is used in Peru for bank KYC IDV (see attached paper).  In Mexico, the INE (a voting database with biometrics) has been expanded for use by bank KYC/AML purposes.  In some of the IDV draft uses cases, I will refer to these (as exemplars) because they are biometric-driven (fingerprints)."
• Andrew:
  • Andrew to look into Alipay/ IFAA eKYC
• Joe:
  • Will look at the DID and Verifiable Credentials Use cases to see which ones would be suitable for contribution
  • Look at Joram use case too
  • Will consider how the ISO definition maps to other definitions of ID Assurance, and if appropriate will contribute commentary for the report.
• Mark: 
  • what about PayPal? After the call Andrew started to track down connections to Jeff Hodges - will report back.

Schedule updates

• Status
• Issues
• Next period plan

Contributions updates

• Status
• Issues
• Next period plan

Chair

Use Case Contributions

UC01 New patient registration current.pdf

UC02 New patient registration future.pdf

• Catherine walked through the current state use case for patient registration (proofing)
  • Note that the preconditions are significant for Healthcare scenarios
  • PII collected at registration is collected to identify and lookup the patient for verification and de-duplication
  • The query step occurs because even if the patient has never visited the org, they might be in the EMR for other reasons - visit related organization, mergers/acquisitions of other orgs, etc
  • Patient Insurance Confirmation - this is included to contrast that this is NOT an identity assurance process - eligibility check
• Future state process walkthrough
  • There are initiatives moving towards this future state where identity proofing / assurance is mandatory - e.g. NIST 800-63-3 IAL2
  • Note that patient still gets health care even if they do not achieve IAL2
  • Note the increase of machine processing and assistance used to increase assurance
  • Note that there are alternate flows not described for undocumented patients like the very young
• Q: Does this cover subsequent-visit authentication? A: Correct - these are about NEW patient proofing, not returning patient. There's another set for returning patient.
  • Increasing use of biometric identification/authenticators for returning users - palm vein, fingerprint - used to locate the correct clinical records.
• Q: Is the mention of IAL2 deliberate? A: Yes - there are incoming regulations that will require it.
• Q: Which version of 800-63? A: 800-63-3 - will specify that reference in future revisions
• Q: 63-3 requires verification with issuer - how do you do this? A: Credential document validation can be done by companies like IDEMIA and others. Then do a biometric compare of license to physical person. 
• Q: Don't see how the non-actor stakeholders interests are met - e.g. if the person failed identity assurance how are their interests met - e.g. if not identified, then insurance payment needs not met - what alternative flows need to be documented to satisfy those stakeholder needs?Catherine continuing to refine UC01 and UC02
• Andrew has discussed Financial Institution use cases with a few FIs
• Andrew has discussed available use cases with Government of Canada (includes Federal, Provincial, Territorial governments)
• Looking for use cases from lightly- or indirectly-regulated sectors
  • Looking for "sharing economy" use cases
  • Looking for "blockchain" use cases
  • Looking for "retail" use cases

Writing teams updates

• Status
• Issues
• Next period plan

Chair