Attendees:
Voting Participants: Mark King, Mark Hapner, Martin Smith, Ken Dagg.
Non-voting participants: Eric Thompson, Jimmy Jung, Roger Quint, Tim Reiniger
Guests: Jeff Tackes, USPS
Staff: Colin Wallis, Ruth Puente
Quorum: 3 out of 5. There was quorum.
Agenda
1.Administration:
a.Roll Call
b.Agenda Confirmation
c.Minutes Approval 2021-04-08 DRAFT Minutes
2. Discussion
a. Draft responses to the UK questions.
b. NIST open discussion issues in light of SP 800-63 rev.4.
3. Any Other Business
Minutes Approval
Minutes Approval were approved by motion. Moved: Mark K. Seconded: Mark Hapner. Unanimous Approval.
Draft responses to the UK questions.
- Ken walked the group through the draft comments available at https://docs.google.com/document/d/103q3NrG31j3dalW3X3UuS_jj8_hWbmXEPSNRSHWlOHA/edit?usp=sharing
Question 1
- Due the previous Kantara's submissions this answer should be revised.
- It was pointed out that there should be a comment pointing out the lack of warning/notification of the changes. So, it's challenging to get consistency in a document that is new. Consistency requires stability of the documents.
- It was commented that given that there is a provenance with 63-2, and 63-3 is becoming the predominant baseline internationally, it should be considered. Moreover, in light of cross-border recognition developments, Australian TDIF framework and NIST 800-63-3 should be taken into consideration.
Question 3
- It was agreed that we should use international interoperability in the answer.
Question 4
- It was commented that a Trust Mark is a tangible representation of a certification, which informs about the scope of certification, expiration date, applicable assurance levels, class of approval, etc.
NIST open discussion issues in light of SP 800-63 rev.4.
- It was said that Eric provided comments on Liveness test by email and it was added as a comment to the GDoC: "The use if liveliness test and PAD is specifically focused on fraud detection and introduces signification friction to the ID proofing process. As such, this is only appropriate to make mandatory at IAL3. Below IAL3, it should be up to the agency to determine the appropriateness for their process and risk appetite".