See right side gray menu section 'on this page' for Table of Contents
Updates:
All Documents
Item 1
We suggest that inclusion of the document hierarchy
(http://kantarainitiative.org/pipermail/wg-idassurance/2009-September/000081.html),
or derived material, along with the commentary similar to the Kantara response of 8 December 2009 to the Open Identity Framework Joint Steering Committee (OIF JSC), would greatly enhance the distribution and communication of the document set for broader adoption. In particular, the hierarchical nature of the document set is described very well in the response to OIF JSC, and the various documents comprising the primary base reference set and the secondary set, and their purpose, relative to Assessors and Providers, is discussed. We believe that a clearer explanation of the document set in a more self-consistent manner would aid in the readability and communication of the document set, and would help to define a structure similar to an ISO/IEC multi-part standard or the like (e.g., ISO/IEC 15408, Common Criteria for Information Technology Security Evaluation). Furthermore, we believe that such an explanation of the segregation of responsibilities, as defined by the complete document set would help readers and implementers to understand the various responsibilities and accountability within the Accreditation process - for example, it is not clear that the Assurance Assessment Scheme should be part of the primary base reference document set, but instead could potentially be in the secondary document set, and/or administered outside of the IAWG.
Discussion: It seems like a description of the document would help something in addition to the overview. We could include the graphical representation here. It a comment around describing the document set. It's a helpful change but not substantive. OIF JSC content is suggested as a good start.
Volunteer: IAWG participant to lead the inclusion of this comment in to the Overview: Colin Soutar (CSC)
Item 2
It would be instructive to observe that some initiatives, such as TSCP (Transglobal Secure Collaboration Program - http://www.tscp.org/), apply more rigorous infrastructure requirements and rules for participants than are generally set forth, due to the business rules and needs of the participants. This would illustrate the goal of defining a full range of requirements, starting at a minimum set of infrastructure at lower levels of assurance which can be graduated to meet more stringent, higher levels of assurance to meet specific business requirements. In particular, the specific differences in identity proofing in various initiatives could be further described to discuss the relationship with Identity Assurance, and, similarly, some discussion of how the the varying privacy regulations define instantiation-specific privacy profiles would help, as was recently discussed relative to the ICAM submission.
Discussion: observe in the overview that we have started with the 4 levels but there are many other factors will arise as the world gets more experienced with this topic. We're starting based on NIST and the doc set will continue to evolve. Resolution of comment belongs in overview.
Volunteer: Dave Wasley to coordinate with Colin Soutar to incorporate this comment in to the Overview.
Item 3
We believe that additional discussion of related identity initiatives that have developed over the last couple of years would greatly help to provide context for the Kantara Initiative IAF, as well as resolve (or mitigate, at least) definition ambiguities. Some examples include:
There has been much ongoing discussion around the Levels of Assurance defined in NIST SP 800-63 - a more recent commentary on this document would enhance the IAF document set. Also, with the recent developments of the ANSI Identity Theft Prevention and Identity Management Standards Panel ( www.ansi.org/idsp); the publication of ICAM Part 1; the ANSI compendium of standards a few years ago
and the ongoing work of the ITU-T – should these initiatives be recognized as, at a minimum, orientation or reference material that readers should be familiar with? Also, the bibliography of the NSTAC Identity report references a range of discussions relating to some of the policy considerations recently raised in various Kantara fora.
Lastly, as Kantara evolves towards being both a technical specifications developer and an accreditation organization, it may be useful to review some of the implementation and documentation methodology used by the likes of the Software Engineering Institute, or under the auspices of the Common Criteria Scheme. The requirements for training, documentation, data, configuration management, reporting, audit etc., in such programs mirror those sought by Kantara to not only demonstrate system functionality, but also to provide the organizational tools to support continued success.
Discussion:
Volunteer:
Identity Assurance Framework - Overview
Item 1
There is a gap between the IAF and the SAC regards Identity Proofing. There is no policy framework to overlay SAC IdProofing such as found in the NZ EOI standard draft V2 e.g. on what constitutes 'a government issued ID'.
Discussion: We need to dig deeper on this comment and perhaps work with P3WG to move this forward.
Volunteer: None - Bring to P3WG for further discussion.
Identity Assurance Framework - Glossary
Item 1
Suggest the definition of assurance levels carry context; a statement such as "Very high confidence in the asserted identity