Page Comparison

TBD

TBD

TBD2024-08-22 IAWG Meeting Notes DRAFT

• 2024.07.11 DRAFT Minutes

No discussion, approved.

• Potential Criteria Updates

  • Discussion: re: 63B#1340, 63A#0130 b) (Jimmy Jung’s email on May 28th),  and  63B#0120. Led by Jimmy.

Jimmy/Andrew

• 63A#0130: Kantara has gone beyond what 800-63 requires by requiring a record of the unique reference numbers.

  1. Perspective from a client - is it worth the risk (owning PII) to keep these records?

  2. Question to the group:  Do we want to keep this expansion of what was given in 800-63?

  3. Mark: There are methods for showing that you’ve done the check (can match in the future/a hash of the thing itself, not the information).  Can compare later with keeping it all.

  4. James: Notes the need to confirm “correct, lawful basis for collection” in the contract.

  5. Jimmy: Is it OK to say we looked at it (not keep it) and that’s good enough?

  6. Jimmy’s recap: (2nd column)-original 800-63 requirement-you need a log and to identity the steps taken to identify an applicant and types of evidence presented in proofing process.  Far right column - Kantara’s criteria wants to know what kind of identity proofing was performed (supervised/unsupervised, etc) and we want a unique reference which is mostly like a unique reference number from that evidence.

  7. AHughes question:  Has any consumer ever asked a CSP to prove their  license was shown?

  8. Yehoshua: rev 4, line 1256 will state that the CSP has to save the identity evidence.  The CSP will have an account and included will be the validated identity evidence.  

  9. No change needed, since this will be required in rev. 4.

• 63B#0510: Why are authentication attempts limited to 100? What comes after this? Can it time out and try again? ARB dismissed question.

  1. Yehoshua: These are guidelines, not standards.

  2. User will be locked out, need remedial efforts to try again. Once success happens, the counter is reset

  3. Is there any guidance on what action to take?  Jimmy to continue to look.

  4. No change needed, aside from additional guidance on Kantara’s materials.

• ARB comment on potential bug in 63A#0510 criteria (Lynzie)

  • Talks about biometric performance requirements which is more about measuring algorithmic performance and not human performance. If using a human, this cannot be done.

  • #0510 references 63B authentication criteria and authentication doesn’t recognize human verification of the biometric against some portrait or reference biometric. The 63B criteria is only applicable to automated biometric systems.

Andrew

• Hughes: This is a long standing bug in 63A and there is no way to achieve what they reference (biometrics–without confirming it is applicable).

• Jimmy: Change the wording to something like “supervised proofing, remote or in person, where biometric techniques are used”?  Should address applicable requirements in 620 to 680.

• Yehoshua:  This is part of the circle as to whether the person involved is a trusted referee or not, and what a trusted referee means, etc.  Kantara doesn’t accept a trusted referee making independent decisions.  Additional inconsistency in Table 5.3 (verifying evidence with 2 choices-physical or biometric), then when you do biometric you need to satisfy 63B 5.2.3 (biometrics)

• Jimmy/Yehoshua/AHughes: concur there is some confusion.  

• Clarification of the criteria to say “you don’t have to meet biometric requirements if you are not doing biometrics”

• Yehoshua: Doesn’t rev. 4 require biometrics for IAL2? So this would simply be a temporary fix.

• ACTION:  Andrew Hughes Andrew/Group to follow up on this potential bug