Versions Compared

Old Version 2

changes.mady.by.user Lynzie Adams

Saved on

compared with

New Version Current

changes.mady.by.user Lynzie Adams

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Attendees:

...

  1. Administration:

    • Roll call, determination of quorum

    • Minutes approval - 2023-02-23 Minutes

    • General Updates

    • Assurance Updates

  2.  Discussion: 

  3. Any Other Business

Meeting Notes 

Administrative Items:

IAWG Chair Andrew Hughes called the meeting to order.  Roll was called. Meeting was quorate. 

...

Revisiting last meeting’s discussion on 63B#1330 and the misaligned reference - upon further review I found another instance (#1420) where the same misaligned reference is noted. I’ve since corrected it. This led Richard and I to carefully check other references and we found a number of instances where something similar had occurred. They will all be corrected in the upcoming release of v4.2 (other impacted criteria - #0390, #00820, #1290 #1380). Andrew believes LC needs to approve it prior to publication and distribution.

Discussion:

Revision 4

It was discussed that comments are coming in mostly around 63A. In regards to 63C, it appears people are spending more time focusing on the NIST 217 draft related to PIV.

...

Jimmy raised the issue that after reviewing -4, it appears our interpretation of supervised remote from -3 could be incorrect. It seems clear it was never meant to apply to IAL2. If he can find the justification in -3, he’ll send an email to the group if we want to make that update. The supervised remote requirements we say are applicable to IAL2 and IAL3 - but -4 makes it seem they were never meant for IAL2. Going back to -3 now, it seems a bit clearer – though not clear. Andrew clarified that supervised remote requires that it is CSP hardware. Jimmy confirmed that is the sticking point. The Kantara interpretation is different than what Jimmy sees in the federal space. Jimmy will try to look into it further with justification for us to revisit.

  • Jimmy’s follow up email: Following up on my little rant about the applicability of 5.3.3.2 Requirements for Supervised Remote In-Person Proofing in SP 800-63-3, which are captured in Kantara criteria 63A#0520 - 63A#0580, and applied to IAL 2 and 3.  I believe they should only be applied to IAL3.

    • Part of the confusion is the result of the term being used (superfluously, I think) in the IAL2 criteria in section 4.4.1.

    • In 4.4.1.6, 63-3 refers to three types of proofing: “in-person proofing (physical or supervised remote)” and “remote proofing (unsupervised).”

      • “Unsupervised”, I believe is well understood.  “In-person” and “Supervised” BOTH mean with a CSP operator; with one case being physically co-located and the other being remote

        • (to clarify this confusion, in my comments to 63-4; I suggest sticking with the well understood term “unsupervised” and removing the redundant and sorely abused term “supervised,” and instead consistently using the phrase “with a CSP operator.”  This also would get rid of the regrettably awkward phrase “in-person remote,” and replace the incredibly confusing phrase “Supervised Remote In-Person,” with “remote with a CSP operator.)

    • Section 4.5 requires identity proofing at IAL3 be performed in-person (to include supervised remote).

    • Section 5.3.3 specifically refers to the Supervised Remote In-Person requirements in the context of IAL3, saying In-person proofing at IAL3 can be satisfied with “A physical interaction with the applicant” or a “a remote interaction with the applicant, supervised by an operator, based on the specific requirements Section 5.3.3.2.”

    • Section 5.3.3.2 specifically refers to IAL3, “Supervised remote identity proofing and enrollment transactions SHALL meet the following requirements, in addition to the IAL3 validation and verification requirements specified in Section 4.6:”

    (In truth, I don’t really know if they meant section 4.6, enrollment codes appear to apply to both IAL2 and IAL3 – or 4.5, the IAL3 section.)

    (I would also note that by calling put IAL3 in both 5.3.3 and 5.3.3.2, it is very unclear if 5.3.3.1 is intended to apply just IAL3 or all in-person proofings, certainly inspecting the fingers before you capture prints seems reasonable at all levels.)

    • Informative Section 4.7 summarizes the presence requirements to say IAL2 is performed “In-person and unsupervised remote” and IAL3 is performed “In-person and supervised remote.”  This suggests that IAL2 remote proofing can ONLY be performed unsupervised, which doesn’t quite seem logical and also contradicts the discussion of “in-person proofing (physical or supervised remote)” in the IAL2 sections

    • Since the Supervised Remote In-Person Proofing requirements are specifically and only referenced as part of IAL3; a position, I think 63-4 tries to make even clearer - I think Kantara criteria 63A#0520 - 63A#0580, should not be applied to IAL2

    • On the other hand,  while this does impact some of our clients, they have worked around it, but it’s not quite graceful.  Even if you agree with my thinking, it may still be worth discussing, if the juice is worth the squeeze of a KIAF-1430 update.

Richard raised the issue of a live operator - its messy in -3 and doesn’t get better for -4. Now there is an applicant reference in -4. We need a standard understanding of the role and the requirements.

Any Other Business:

IAWG leadership keeps an action item list.
All IAWG participants should be aware that the spreadsheet exists and that it lists everything we think the IAWG is working on or planning to work on. Please feel free to review it and correct it if needed - it is not our intent to overlook something!