Versions Compared

Old Version 2

changes.mady.by.user Former user

Saved on

compared with

New Version Current

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Demographics and Communities of interest (COI) e.g. NASA, IRS:

  • There are certain number of users, transactions, services, solutions, interests and mission areas within these relationships:  Government to Government (G2G); Business to Government (B2G); Government to Business (G2B); Citizen to Government (C2G); Business to Business (B2B); Citizen to Business (C2B).

  • What demographics cover?

  • There are 204 agencies.

  • Avoid losing boundaries as it causes confusion in the trust and what it is certified.

  • How TFS and the other areas, non-PKI and PKI federations, SAFE vs Kantara vs Incommon, can work together to build a nice ecosystem and services?

  • Industry: From the 204 agencies, which interacts with the federal government? The objective is enabling the parties to work with government, so CSPs need to know who does those interactions.

  • Analysis G2G transactions vs users, higher number of users, lower number of transactions versus lower number of users, higher number of transactions.

  • Work together to improve the services to the particular communities of interest.

...

  • Big challenge: Establish a strong online identity. 

  • Improve the service and usability. How we protect metadata in the transactions (C2B, B2B, etc.)?

  • Comparability is qualitative based on the assessors. There are assumptions around of what comparability is.  

  • Re-write the requirements based on the objective and outcome perspective, rather compliance to the process, e.g. what´s the outcome from this requirement?

  • Assessors need to know the objectives of the comparability requirements.

  • Authentication risk (low level of assurance), the challenge is the scalability in the implementation.

  • Assessors perform an overview audit.

  • FICAM is making a comparison between the US and UK model. It is important to consider the user, provide value to the customers.

  • Stronger authentication (higher assurance credentials) in the C2G and B2G communities.

  • Need to have standardized reliable trust validation policies and procedures and allow the low assurance level to operate. The low assurance levels are easy for citizen to use.

  • Challenge for FICAM:  scalability. Agencies do not want to be responsible for id proofing. The RPs do not want to spend the resources (capabilities) on this.

  • Improve driving solutions that are usable.

  • Form Vector.  Social + login (additional factors) ubi key authentication.

  • 2-factor authentication has no meaning without the appropriate policy.

  • FICAM problem is the identity verification first (who are you online and get it proved).

  • What happens during authentication?  


Main topics of interest for the afternoon discussion:

1. Process improvement

2. Information improvements

...

5. Specific Programs + RPs  (civil agencies) and C2G, B2G, G2G.

6. Usability


Other topics of interest:

  • Future liability across the entire transaction.

  • Alignment with the European framework and other frameworks.

  • PKI vs non PKI

  • Government metadata to prove identification verification.

  • Registry of “names”

  • Well-defined requirements for C, B, G.

  • Terminology (unified terms and plan language).

  • Simplify attributes bundles documentation (for a next round).



Highlights:


  • FICAM needs a charter that defines the relationship PKI, TFS and other solutions. Operational procedures: Define the rules.

  • Revise/update the requirements goal oriented rather than process oriented.

  • Important to know which FRPs will be the first adopters, level of adoption. What the early adopters will need? So the CSPs can adapt the innovation to that.


Key discussion topics:


  • Equivalency in the framework with other frameworks and on assessments.

    • CSP need to certify against multiple frameworks- each scheme runs mostly independent of others and typically don’t allow mutual recognition

    • Discussion about the role of NIST in standards setting - this might be a starting place to begin the equivalency work

  • Connect.gov: challenges in adoption and usability by citizens.

    • Major issue dragging down adoption rate is usability - lots of friction in the system from handoffs between providers (because the handoffs are not anybody’s direct responsibility)

    • CSPs would like to hear directly from RPs to be able to improve/enhance product faster.

  • Access to government.

    • FICAM thinks its a good idea to allow access to government datasets, but does not know what the path forward should be.

    • RPs are asking FICAM to make a mapping of the TFPs with differences and equivalences.  

    • NIST/FICAM. FICAM should lead on discrepancies when NIST requirements are not align with the TFPs. Normalization for interoperability.

    • Standardize across the frameworks.

    • FICAM is reviewing the UK model. In the assessments they also include physical check.
    • OIDF started a working group to profile openid connect for government digital identity transactions. The wg name is iGov and we invite participants to join. The group is co-led by UK GDS, Ping Identity, and NIST. 

Next steps:


  • Charters drafts via hub model.

  • Matching services.

  • Coordinate a meeting with the RPs to talk on particular areas.

  • Meet quarterly – virtual and face-to-face.

  • Work in demographics.




PDF version: FICAM Workshop Meeting Notes – 20160114 .pdf