2020-06-03 Meeting Notes IAL3
Attendees: Ken Dagg (Individual Contributor and IAWG Chair), Martin Smith (Individual Contributor and IAWG Vice-Chair), Andrew Hughes (IDEMIA), Richard Wilsher (Zygma), Nathan Faut (KPMG), James Jung (Slandala), Colin Wallis (Kantara Initiative), Ruth Puente (Kantara Initiative).
Draft reviewed during the meeting: KIAF-1430 SP 800-63A Service Assessment Criteria v3.1.4+IAL3.xlsx
Key discussion items
- Richard explained that the 63C document specifically refers to Federal Agencies, Relying Parties and IdPs, in which he used Kantara’s nomenclature (that is CSP). It also introduces the notion of Federation Authority.
- In 63 A and B there are references to Federal Agencies, there are references to RPs. Therefore, Richard said he thought to have all over 800#63 rev.3 set of criteria in a consistent form and to go through the 63 A and B to pull any criteria which are specific to Federal Agencies and RPs (which were previously ignored). Now, for the sake of consistency, he believes that those need to be addressed. In addition, in 63C it says that RPs have to meet requirements in 63 A and B.
- Then, because it is being dealt with two assurance levels, he explained that he added two columns to the right of the criteria. This will show the Assurance Level at which each criterion applies.
- Richard commented that in section 4.4 he introduced some requirements, he thought it was a good idea in order to bring forward this requirement for the types or the classes of proofing that a CSP could offer.
- Martin mentioned that the concept of Federation Agreement is widely applied in the FAL.
- Richard added that 63C makes explicit statements about certain things that should be in a Federation Agreement. It does not make it a specific entity; it does say there might be Federation Agreement.
- Martin said it is a checklist where you have to say what you need or what you do not need.
- Richard commented that also in that document, there have been made revisions of what it takes to join a Federation. It does not explain what vetting is.
- Ken added that in the simplest of the cases a Federation is a CSP and RP, as defined by NIST. This Federation Agreement contains all of the requirements that must exist for the CSP and RP to interact.
- Andrew asked if by formalizing a Federation Authority and indicating that some things might be under the control of Federation Authority, ‘are we biasing ourselves towards having Federation Authorities in too many cases?’. When NIST uses the term lower case Federation, they mean external authentication. Ken responded that the concept of a formal Federation Authority, if one exists, it has certain obligations according to what NIST says in 63C. If there is no formal Federation Authority, they lose groups of two or more participants. It does not only mean that there has to be a Federation Authority, there could be, but the Federation Agreement is what counts rather than the Federation Authority. Richard commented that furthermore, there has not been placed any new requirement upon a Federation Authority, it was only stated what NIST had stated. The concept of Federation Agreement was created.
- Richard said this is the way the document will be presented, Andrew said he reckons it will work.
- Andrew asked about column I, if there is a track mark in column I, does it mean that a commercial CSP is excluded from that requirement? What does that mean? Richard said that they will be marked in I, is where it says Federal Agencies SHALL… etc.
- Ken said that a Federal Agency is an RP, it would be I and K. Richard said that potentially, yes. The point at the moment, continued Richard, is that it is very clear what is done with the CSP because it has been done for a long time. What has never been done before, is to have means by which to assess an RP.
- Andrew suggested to consider reordering I, J and K in the reverse order. CSP column is the most populated, he said. Richard explained it is because this is the nearest to the criteria. Andrew said that it unfortunately implies an increasing level of things to do. Richard responded it is a reasonable argument, he will implement it.
- Richard continued going straight down to the IAL3 criteria. He mentioned that lots of the texts here were copied from the Level 2 criteria, he changed what was necessary.
- 63A#3010: Richard suggested to mark it in green.
- 63A#3020: Here, a, b and c tell what is needed to have. They are global requirements, definitions of strength. This is simply the case where the CSP is going to say “I am using a Driver’s License, and this is how it needs the requirements”. It was agreed.
- 63A#3030: Richard mentioned this is reasonably enough and again, exactly the same as IAL2. Once you designated the strength of a piece of evidence, you have to validate it at a same strength. It was agreed.
- 63A#3040: The binding to the evidence has to be a process that is able to achieve a strength of SUPERIOR. What Richard had not noticed, is that IAL2 says “we need bind” you have to use a single piece of evidence of the strongest level collected. When it comes to binding you have to do it at a level that achieves superior, it does not say a single piece of evidence. Richard asked if it should be assumed that it is against a single piece of evidence. Andrew observed that superior is biometric, he said that this is the challenge of using the same levels for different things. If you have a piece of strong evidence and you can do biometric comparison to that strong evidence, that is considered to be superior binding. He said his question is “is there any strong evidence document that you can actually do biometric comparison?”. Richard clarified that the criteria were brought out of 63B and were included in 63A, the NIST reference is 63B. Andrew proposed that the only notes that should be contemplated, are the notes that consider a photograph as some sort of biometric comparison. The specification of the parameters of matching is what makes the comparison biometric or not biometric. Richard suggested to add a reference, he will make a note to himself to look at this (Row 117, Inc. ref to T5-3). Row 118 was agreed.
- 63A#3050: Here you can only do it using supervised proofing. Andrew said that the NIST requirement says: “In addition, identity proofing at IAL3 is performed in person (to include supervised remote)”. It was commented that it has to be a human watching at some place, whether in person or remotely in real time presumably. It was agreed.
- 63A#3060: Richard added he made this harder than the NIST requirement. Andrew commented that as written in the Kantara criterion is too restrictive and goes beyond the intent of NIST, because if the CSP has access to assisted records, that is actually what you need to do, is to use the address information from the system record (not the identity evidence). Martin asked in what sense that is no longer accurate Driver’s License evidence at all. Andrew responded that until the new piece of plastic arrives, it is your valid Driver’s License. Ken clarified that column H is the statement that came from NIST document. Richard explained they are in gray because they are not normative SHALL statements. Ken suggested that the criterion should be, as Andrew suggested, to get rid of the information taken, the CSP SHALL confirm the address of record, as a note of the whole discussion around the system of record and then valid information in the NIST requirement. This the logical order for him, to contemplate what the subject provides. Richard argued he thinks that it should be created a meaningful normative statement. He said that what is needed here is a solution which is generically applicable. Andrew added this is one of those criteria which strongly supports the notion, in other words, the NIST proofing tidelines are based on physical identity evidence. This is one of those ones, address records, now it is phone numbers because it is digital.
- It was agreed to schedule 2 hours meeting for next week.
- Richard will make a new text for the previously discussed criteria.