Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 12 Next »

KANTARA IAWG gathering comments process on 800-63-3  

 

DOCUMENT January 30 2017 version: https://pages.nist.gov/800-63-3/ 

NIST Public Comment Deadline: March 1st 

Previous KI comments: Previous submission to NIST

 

FIRST SESSION

Key discussion items Feb 9th 2017:

  • Get comments in at least a week before March 31.  Switching back to weekly meetings to accomplish that.
  • Comments regarding cost and impact of the changes in the CSPs.
  • Concern about implementation timeframe. 

GENERAL COMMENTS of the document: 

  • Kolin Whitley, Experian - ID proofing strategies were put in place as part of multiyear contracts, how might that impact the component given that the new guidelines are significantly different.
  • Russ Weiser, Zentry/Synchronoss - requirements for authoritative data sources, chasing identity documents to their source. The federal and state governments have failed to provide a verification service.  TFS work on standard operating procedures, the implication was that there were changes underway to make things easier for agencies to understand.  It's more unrealistic if agencies must grapple with new standard procedures from TFS at the same time that 800-63-3 hits.
  • One problem with 800-63 has been lack of flexibility in the face of considerable CSP innovation in how services are provided, we shouldn't try to stand in the way.
  • The simplification of the levels from 4 to 3 may have made it more difficult to obtain the levels. Removes the lower cost category and increased the cost to comply.
  • The different numbers of levels in different countries may result in interoperability issues between the jurisdictions.

Reference: IAWG Meeting Minutes 2017-02-09

 

SECOND SESSION

Key discussion items February 16th

GENERAL COMMENTS

  • Continued use of bulleted lists - if the lists convey requirements, the implementer or the reviewer or the assessor needs to be able to refer to the requirements.  Richard has suggested numbers instead of bullets, so that requirements could be uniquely identified.
  • Scott will include this among the recommended IAWG comments as well - uniqueness of requirements clauses is great assistance to implementers and assessors alike.

Reference: IAWG Meeting Minutes 2017-02-16

 

THIRD SESSION

Key discussion items February 23rd: 

REVIEW OF 800-63-3

  • Discussion of the need to uniquely identify clauses in the requirements.
  • Ken Crowl shared his list of his organization's concerns: Level of Assurance vs Identity Assurance Levels; Document verification; "Issuing Source". Overview of Experian position on NIST 800-63-3.pdf
  • Scott Shorter included a comment in support of the flow charts / decision trees included in 800-63-3.
  • Discussion of requirement for document verification for all remote proofing.  Call for a need for intermediate verification options that don't require the full rigor of IAL2 (remote + document verification). Technical challenges to document verification.

Reference: DRAFT IAWG Meeting Minutes 2017-02-23

 

FOURTH SESSION

Key discussion items March 2nd:

REVIEW OF 800-63A

 

 

  • No labels