Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 6 Next »

Attendees

Voting participants

Jose Lopez, Zentry

Scott Shorter, Vice Chair

Ken Dagg, Chair

Mark Hapner, Resielient

Non-Voting participants 

Angela Ray

Staff:

Colin Wallis 

Ruth Puente


Quorum 

There was not quorum (5 voting participants out of 8)


Updates 

ED Update:

  • KI has participated in 3 bids for H2020 EU grant funding via Kantara Europe.
  • Kantara's panel at the KNOW Identity conference with panelists Mary Hodder from IDESG, Scott Shorter from Kantara Accredited Assessor KUMA, Tracy Hulver for Kantara Approved CSP ID.me and Leadership Council Chair Andrew Hughes. The topic was 'Service Provider Certification: Who Cares Anyway?', it was addressed what certification is, the different stakeholder perspectives, and there were interesting comments from the audience. 
    For full report, please see: 2018: March


Update on recent IAF changes and publications

  • The Kantara´s Service Assessment Criteria (SAC) for assessments against the requirements of NIST's SP 800-63A and SP 800-63B, KIAF-1430 and KIAF-1440, have been released. Available for Members Only download here:https://kantarainitiative.org/confluence/display/LC/Identity+Assurance+Framework
  • KIAF 1400 (OP-SAC and CO-SAC) have been repackaged and replaced by KIAF 1410 (CO-SAC) and KIAF 1420 (OP-SAC). No changes have been made. It reflects the multiple classes of approval. 
  • As Kantara added NIST SP 800-63-3 compliance to its Trust Framework, there are new classes of approval. The current Kantara classes of approval are: 
    -NIST 800-63 rev.3 
    -NIST 800-63 rev.3 (Technical) 
    -Classic 

Please find full description here: https://kantarainitiative.org/trustoperations/classes-of-approval/


Rework IAF 1000 - Overview and IAF 1100 - Glossary

  • Ken D. is preparing a straw man to proceed with the revision of the Overview and Glossary documents, which are out of date. 


NIST 800-63-3 Implementation Guidance and 63A SAC and 63B SAC assessment issues

  • Scott S.said that the implementation guidance is an inspirational thing, what can we use to try to add some light and understanding to 63-3, we hope to make it open and transparent enough, assessor across and between TFPs. 
  • Colin W. commented that NIST has shared a spreadsheet with 63A identity evidence list, evaluation for different types of identity documents and they seek the TFS Stakeholders feedback, it is not ready for public consumption.  
  • Scott S. added that KUMA has competed an assessment on 800-63-3 and identified 2 gaps in the requirements: 
    a) Authoritative Source. There is a Table 'Validation of the evidence' that states strong evidence must be validated strongly, and the evidence should be checked against an authoritative source. Authoritative sources must be either the issuer or have access to the issuer’s data.  Driver´s license case: It´s not commercially viable to validate driver licenses from 50 states. In the Passport case, it´s no communicating with the Department of State to verify it. AAMVA validation of DMV data is only partial, including the textual data but not the photograph.
    b) 63A Table 5-3 makes a clear distinction that biometrics is one thing and photograph verification is another thing. But the same requirements apply to authenticate the “sensor” (i.e. camera) or an endpoint containing the sensor (i.e. smartphone/laptop). When the applicant is the owner of the device, the IdP doesn’t have a way to authenticate the device.

When you ask the applicant to apply with their own hardware (camera), there is no way to authenticate the hardware. Trusted path for the collection of the photograph. Camera become must be authenticated by the service that is doing the id proofing. If you are relying on people that they purchased though other means, there is no way to authenticate those users and those phones.



  • No labels