Versions Compared

Old Version 7

changes.mady.by.user Former user

Saved on

compared with

New Version 8

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Attendees

...


1. Administration:
Roll Call
2. Discussion:

a) NIST response to Kantara Implementation Guidance Reports on 800-63-3

...

  • Richard has proposed a set of terms for further clarity.
  • David made comments on the concepts used in identity proofing and in particular for the presence requirement for identity proofing, presence requirement for IAL2 could be either “remote or “in-person”. The terms “remote” and “in-person” are used as dictionary-defined terms.

-Remote identity proofing, the applicant and the operator or interviewer are remote, it represents an identity proofing session where the CSP and the applicant are in separate locations, not meeting face-to-face, with communications over a network.

-In-person is a face-to-face identity session in the same location between the CSP and the applicant.

-In addition, a new term was introduced in 63A for “supervised” remote in-person identity proofing; it has explicit connotations. “Supervised remote identity proofing” means that the requirements and controls for identity proofing sessions specified in SP 800-63A section 5.3.3.2 Requirements for Supervised Remote In-Person Proofing are applied.  SP 800-63A section 5.3.3.2 requires specific physical, technical and procedural controls so that supervised remote identity proofing can be considered equivalent to an in-person identity proofing session and, therefore, meet the in-person presence requirement for IAL3.

  • About this, Richard commented that David described “in-person” as the applicant and the CSP being in the same location, and that it was also suggested that there is “remote” where the applicant is in contact there in network connection to somebody on behalf of the CSP. Consequently, it was said that there is a confusion, because there is implied that there are two levels of interaction between the applicant and a human being on the part of the CSP, because now it is said “supervised”. David answered that it is not what he mentioned, the term “supervised” has very special meaning in 63A. He added that “supervised” when we refer to remote identity proofing, which would meet the requirement of in-person identity proofing, but the encounter is remote between the applicant and operator, thus supervised in this context means there is specialized equipment that allows the CSP to be able to view the entirety of the identity proofing session, to be able to check both documents and the entire session to ensure that the applicant is present, they can view the applicant through the entire session and there is no one else present. The specific control in order consider that such a remote process would be equivalent to a “in-person” session, those requirements are covered in SP 800-63A section 5.3.3.2 and are called Supervised Remote Identity Proofing.
  • Jim appreciated the input on the terms since it is necessary to be as precise as it is possible. However, he argued that he has some trouble to see something as unsupervised because it kind of implies that it cannot be supervised, and it should not follow into that trap. He considered it is not anything that can be acted on anytime soon.
  • Jim also mentioned that you can still have human interaction and still not meet the requirements for supervised because, the difference between “supervised” and “unsupervised” is that “supervised” you may think it is a specific piece of hardware that is conformed be the CSP in order to be proofed. The difference at IAL2 when you are doing proofing that does not involve Supervised Remote Identity Proofing is that interaction could be on the users on PC, they can use a webcam, they may have a voice session if they are interacting with a human agent. He stressed that the difference between “supervised” and “unsupervised” for him is the question of whether there is a location that has a specific purpose made piece of hardware conformed by the CSP, or whether it can be done from an office.
  • David stressed that Supervised Remote requires a CSP equipment for the remote applicant.
  • Roger said he understands from this perspective that, if the CSP provides the equipment, it does not matter whether if there is a human person reviewing that or not as long as the equipment belongs to the CSP. Jim answered to him that there is a whole set of requirements in order to be able to call it Supervised Identity Proofing and it is not a requirement for IAL2.
  • It was asked if the Supervised Remote at IAL2 requires a physical representative of the CSP to be involved during the proofing process. Jim responded that it would not be called like that if it is an IAL2, you can use the same equipment but all of the requirements of 5.3.3.2 do not apply at IAL2, you can use the equipment if it was available and it was convenient for applicants to use that equipment but it is not a requirement at IAL2.
  • Richard’s proposed table would have to be changed considering the NIST comments and clarification on it.

...