Participants:
IAWG Voting Members: Andrew Hughes, Denny Prvu, Jimmy Jung, Mark King, Michael Magrath, Richard Wilsher, Mark Hapner
IAWG Participants: Eric Thompson, Lorrayne Auld, Marc Aronson, Max Fathauer, Varan Lal, Chris Lee, Jason Addis
Guests: Ben Piccarreta, Scott Perry, Simone Alcorn, Tom Barton, Lewis Lott, Noreen Whysel
NIST Reps: David Temoshok, Ryan Galluzzo, Andy Regenscheid, Connie LaSalle, Jim Fenton, Justin Richter, Sarbari Gupta, Christine Abruzzi
Kantara: Lynzie Adams, Kay Chopard
...
| Table of Contents | ||||
|---|---|---|---|---|
|
**Note, NIST tries weekly to review and respond to questions submitted to dig-comments@nist.gov. They encouraged the group to submit anything else that comes to mind!! Please submit all comments that you would like included WITH the Kantara submission to comments_iawg@kantarainitiative.org.
Federation:
It is noted that Volume C has more material in this revision. What is the rationale for beefing it up? Is it related to the maturity of federation in federal government over time? Or in response to certain incidents that NIST has been dealing with the last several years?
...
While not a requirement, NIST points out that account recovery process outlined in 63b calls for an abbreviated id proofing process to occur. Whether the CSP retains that data will have an impact on how abbreviated that is. The verification step needs to be done gain if the data is there to repeat that part.
Authenticator Binding
There is binding at enrollment and then post-enrollment binding.
...
Is there actually a difference between when you bind during enrollment versus at some later time? Or is it the type of authenticator you are binding to that makes the difference?
Enrollment is the tail end of the identity proofing process. There needs to be some way of associating authenticators with the person that was just ID proofed. Binding afterwards is something that tends to be much more self-service – where the subscriber decides that they need another authenticator for another end-point they have that has different interface requirements or they want to bind an authenticator that is part of one of their endpoints. They can do that at post-enrollment. It also has to do with a separate, new section on account recovery. There was a lot of confusion on that previously since rev.3 did not address it very prominently. That’s the case where someone loses an authenticator or forgets a memorized secret or something of that nature and needs to recover from that situation. NIST is very much trying to encourage the binding of multiple authenticators and allow people to use those authenticators to do self-service recovery. NIST is troubled by a lot of things that are commonly done – like email recovery and so forth – because in the case of MF authenticators, email is typically not a MF process. It’s not very secure internally either. So, NIST is trying to make that point clearer. NIST does not believe the requirements have substantially changed from rev 3 to rev 4 – but they’ve tried to state things more plainly in terms of things people will be looking for.
...