Versions Compared

Old Version 9

changes.mady.by.user Former user

Saved on

compared with

New Version Current

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • KI has participated in 3 bids for H2020 EU grant funding via Kantara Europe.
  • Kantara's panel at the KNOW Identity conference with panelists Mary Hodder from IDESG, Scott Shorter from Kantara Accredited Assessor KUMA, Tracy Hulver for Kantara Approved CSP ID.me and Leadership Council Chair Andrew Hughes. The topic was 'Service Provider Certification: Who Cares Anyway?', it was addressed what certification is, the different stakeholder perspectives, and there were interesting comments from the audience. 
    For full report, please see: 2018: March

Update on recent IAF changes and publications

...

  • Scott S.said that the implementation guidance is what we can use to try to add some light and understanding to 63-3, we hope to make it open and transparent enough, assessor across and between TFPs. 
  • Ken D. stressed that the main aim of this tool is to use the same evidence and understand the evidence in the same way.
  • Colin W. commented that NIST has shared a spreadsheet with 63A identity evidence list, evaluation for different types of identity documents and they seek the TFS Stakeholders feedback, it is not ready for public consumption.  

  • Scott S. added that KUMA has competed completed an assessment on 800-63-3 and identified 2 gaps in the requirements, things that are complex to achieve and potentially impossible: 
    a) Authoritative Source. There is a Table 'Validation of the evidence' that states strong evidence must be validated strongly, and the evidence should be checked against an authoritative source. Authoritative sources must be either the issuer or have access to the issuer’s data.  Driver´s license case: It´s not commercially viable to validate driver licenses from 50 states. In the Passport case, it´s no communicating with the Department of State to verify it. AAMVA validation of DMV data is only partial, including the textual data but not the photograph.
    b) Authentication of photograph. 63A Table 5-3 makes a clear distinction that biometrics is one thing and photograph verification is another thing. But the same requirements apply to authenticate the “sensor” (i.e. camera) or an endpoint containing the sensor (i.e. smartphone/laptop). When the applicant is the owner of the device, the IdP doesn’t have a way to authenticate the device.
  • Jose L added that when you take a selfie you can print the OTP to proof liveness.  
  • Ken said that the implementation guidance should include these 2 issues as well.
  • Scott S. asked if there could be a class of approval IAL2 minus something. 
  • Scott S. explained that if a RP accepts a service less than a full assurance level, they should fill out a digital identity acceptance statement and submit to GSA and , therefore the RP accepts the risk. 
  • Ken D. added that in Gov. of Canada, when RPs said L2 token was not good enough, they implemented additional measures to mitigate that risk. That is an approach RPs could use. The RPs could say they are accepting credentials but will add "x" mitigation strategy. He suggested to add this approach as part of the implementation guidance. Also, he recommended to use the eGovernment WG code of conduct in this context. 

  • It was agreed to add this topic as a standing agenda item. 
  • There could be a sub-group but open to the other TFPs, and will use IAWG meeting time. 
  • Audience for this document: CSPs and Assessors and may also include RPs.

...