Attendees
Invited Guests: Jim Fenton, David Temoshok, Scott Shorter
Non-voting participants: Andrew Hughes, Roger Quint, Ahmed Naeem
Voting participants: JJ Harkema, Ken Dagg, Martin Smith, Mark Hapner, Richard Wilsher
Staff: Colin and Ruth
Quorum: 4 of 7. There was quorum
Agenda
- Administration:
- Roll Call
- Discussion: NIST Response to Kantara Implementation Guidance Reports on 800-63-3
Discussion on NIST Response (Key discussion items)
- DT said that NIST appreciates Kantara's work offering a Trust Framework based on NIST 800-63-3 (A and B criteria), which is a valuable service for the industry and for the Agencies.
- RW added that IAWG expectation is a more definite response to guide us on the implementation of the criteria. He would like to know how Kantara will apply the responses we received, live with the uncertainties or apply our own interpretation?
- DT clarified that NIST can respond to inquiries from industry or gov agencies, but they cannot add text or change normative requirements. However, they can clarify terms and text. In addition, NIST is working on implementation resources, FAQ, informative text/material that is not included in the normative text and could help on the implementation, which will be published in the coming year.
- RW remarked that the Kantara Reports addresses issues on implementing or applying the criteria, for instance cases when it's extremely difficult to meet the criteria, so one of the goals of the Reports is to get guidance or some kind of alternative interpretation to the criteria.
- RW said that in relation to requirements for validating evidence, SP 800-63A 4.4.1.3., he has an observation on NIST response "this requirement would include the comparison of pictures on state driver’s licenses to DMV records or another authoritative source". He stressed that there are no other authoritative source for comparing a picture on the driver license, other than issuing the DMV, given the provisions of the Driver’s Privacy Protection Act, no such comparison is going to be possible. And Dep. of State doesn’t offer any such facility to match a photo on a passport. If I can’t match a driver license photo with the issuing DMV, is it sufficient to only match the text info on the driver license?. DT answered that the photo match and biometrics match requirements is in the verification of the identity evidence to the applicant in the identity proofing process, whether that comparison to the validated identity evidence is performed through a biometric or comparison match is required for verification and it binds the applicant to the validated id evidence. JF added that the purpose of validation evidence is to make sure that the evidence that was presented is genuine and that the evidence applies to the applicant, thus we use the photo for the latter and not for the former. DT clarified that "validation" is validating the genuineness of the identity evidence; "verification" is verifying the binding of that validated evidence to the applicant.
- AH asked if as verification it is allowed to compare a selfie to the photo on the driver license. DT responded that for remote identity proofing that form of verification it may be required. JF added that it would be better to have a liveness detection, like a video chat. AH stressed that in unsupervised remote identity proofing, from a design perspective it's difficult to compare a photo of the driver license with some sort of scan of the person using her/his phone.
- JF pointed out that 63A provides a mid point for AL2, a balance between achievability and security, but there isn't too much 63A can do to improve the security of remote proofing given the limitation of the evidence that people have.
- MH asked if someone qualify for AL2 using driver license with remote proofing? AH answered that for instance Idemia does.