...
Ken asked Richard Wilshire to introduce the topic and provide background. Richard reported that a US Federal agency has asked how Kantara would handle its using a CSP implementing a "compatible alternative" to the IA controls included in 800-63-3. He said Sec 5.4. does allow US Federal agencies to use "comparable alternatives" and provides some guidance on how that would be done. Richard suggested that KI might perform an assessment of a service that used an alternative control, but he feels that Kantara can't take on determination of what is "comparable." He shared draft language for an approach to this issue Kantara might take. Richard further reported discussion of this issue with David Temoshok of NIST. He said David strongly discouraged KI involvement in assessing these alternative controls; he further believes use of such alternatives would only be appropriate to address a use-case unique to one agency. and that sign-off for use of an alternative control would have to be made at the agency executive level, i.e., by the CIO.
Blake ??
IbLAKE – D.Me – thinks this is DOL, trying to use expired DLs. Hopes to service this requirement. THinks maybe ReaLid COULD BE ACCEPTABLE.
eRIC tHO,MPSON AGREES THAT ALTERNATIVES SHOUDL BE ok, NOT EVERYONE HAS id
Ken: 2 issues: gaping hole in rev 3; "comparable" process.
...
Hall said he believe the "Federal agency" Richard mentioned is the Department of Labor, which is exploring the possibility of allowing the use of expired drivers licenses as identity documentation for their public "customers." Blake said his company hopes to service this requirement.
Eric Thompson agrees that there should be alternatives for the large number of people who lack the currently acceptable identity documents.
Martin Smith suggested that from what has been said, it sounds like this issue could best be addressed via the upcoming revision of SP-800-63-A that could provide for more flexible (and thus more inclusive) identity-proofing alternatives. But of course 800-63 Rev. 4 will not be promulgated some time next year.
Roger Quint said the question is: what are we rtying to accomplish? Are we devleoping a general strategy for addressing special cases? He said Kantara should avoid getting in the middle of hard determinations.
The remaining agenda items were deferred to the next meeting due to time limitation:
b. Australian Digital Identity Legislation Consultation Phase 2 - See: Public consultation on Australia’s Digital Identity legislation
c. Proposal for a Regulation of the European Parliament and of the Council amending Regulation (EU) No 910/2014 as regards establishing a framework for a European Digital Identity. See: https://digital-strategy.ec.europa.eu/en/library/trusted-and-secure-european-e-id-regulation
d. Component Service Consumer criteria.
Mark Hapner:
SOCA: applicable
...
Ken summarized the situation by saying it appears there are two distinct issues: a gaping hole in 800-63-3, and how Kantara might deal with the "comparable alternative" process..
Chairman Dagg called time on the discussion as 2:59PM. He characterized the discussion as very useful and
...
said Kantara will need to settle on an approach soon. He confirmed that the WG will meet next week to continue this discussion and, if possible, address other issues on today's Agenda that were not discussed.
Next Meeting: Next Thursday, July 1 at 1PM US EasternlEastern