Kantara Initiative Identity Assurance WG Teleconference
...
- Administration:
- Roll Call
- Agenda Confirmation
- Minutes approval: IAWG Meeting Minutes 2013-11-21
- Action Item Review
- Staff reports and updates
- LC reports and updates
- Call for Tweet-worthy items to feed (@KantaraNews or #kantara)
- Discussion
- IAF-1400 draft for 45 day public review - see linked document: Kantara IAF-1400 SAC v3-1.docx
- Disposition of 800-63-2 -> SAC Mapping working documents - where/how to store for future reference?
- FICAM TFS Program update comments from IAWG members & consolidation
Link to review documents and comment template here: https://kantarainitiative.org/confluence/x/fYHwAw - REMINDER: Ad hoc call to continue FICAM TFS discussion Friday December 6, 2013 10:00 Eastern.
- AOB
- Adjourn
Attendees
Link to IAWG Roster
...
Info |
---|
Meeting achieved quorum |
Voting
- Myisha Frazier-McElveen (C)
- Rich Furr (V-C)
- Andrew Hughes (S)
- Scott Shorter
- Matt Thompson
- Richard Wilsher
- Cathy Tilton
...
FICAM TFS Program update comments from IAWG members - December 6 2013 meeting notes
Myisha Frasier-MacElveen (Chair), Rich Furr (Vice-Chair), Andrew Hughes (Secretary), Peter McDonald (Symantec), Nathan Faut (KPMG), Cathy (Daon), Scott Shorter (Electrosoft), Bill Braithwaite
- SS: gave overview for 1st eSoft comment
- PM: Submitted a question around what 'Verified' means - Verified is probably distinct from Assurance Level
- SS: For these Verified Attributes - is there any difference between
- PM: Scenario: At LOA2 and LOA3 if a person gives a fingerprint and zip code -> this uniquely identifies an individual. So is the zip code a Verified Attribute or not?
- There's not enough clarity on how this is intended
- SS: Identity Proofing only establishes that the identity is a real person - it does not actually say anything about the person being the person claiming the identity
- Need to either include gradations of 'proof' so that this is not an absolute
- Need to work out how post-registration identity changes should be used to maintain the integrity of the initial proofed identity
- RF: CSPs do a pretty thorough process to establish that the identity information relates to the actual person - either by in person or using antecedent information
- Never 100% perfect but it is well-understood process
- SS: maybe the RPs would be served better by having ID Proofing process metadata -> that gives hints about provenance -> so the RP can assess risks properly
- BB: the 'real person' establishment has been subsumed into the process of 'identity resolution'/ 'identification of an individual'
- SS: general comments on use of more standardized requirements language e.g. 'shall', 'should', etc
- MF: ATOS document p4 discussion - the reference to Financial Institutions exemption. The identity vetting processes depends on the type of account - so hard to deal with LOA equivalence
- PM: Definition of verification - e.g. Name - what is needed for name variants? For some attributes variants might need to be allowable.
- PM: Concern that if CSPs need to become full-blown attribute providers will require significant resources and investment
- PM: discussed Symantec's comment re verified attribute sources
- PM: if a CSP has to go to additional sources to verify attributes then the CSP's financial model changes
Logistics:
- Andrew to consolidate
- Scott to update his comments
- Myisha to send comments to Andrew
- Andrew to send consolidated sheet to Joni for integration into the ARB document
AOB
Carry-forward Items
Attachments
...