Attendees:

Voting Participants: Mark King, Mark Hapner, Martin Smith, Ken Dagg.

Non-voting participants: Jimmy Jung, Roger Quint, Tim Reiniger

Guests: Jeff Tackes, USPS

Staff: Colin Wallis, Ruth Puente

Quorum: 3 out of 5. There was quorum.

Agenda

1.Administration:
a.Roll Call
b.Agenda Confirmation
c.Minutes Approval 2021-04-08 DRAFT Minutes

2. Discussion

a. Draft responses to the UK questions.
b. NIST open discussion issues in light of SP 800-63 rev.4.

3. Any Other Business

Minutes Approval

2021-04-08 Minutes were approved by motion. Moved: Mark K. Seconded: Mark Hapner. Unanimous Approval.

Draft responses to the UK questions.

Question 1

Due the previous Kantara's submissions this answer should be revised.
It was pointed out that there should be a comment pointing out the lack of warning/notification of the changes. So, it's challenging to get consistency in a document that is new. Consistency requires stability of the documents.
It was commented that given that there is a provenance with 63-2, and 63-3 is becoming the predominant baseline internationally, it should be considered. Moreover, in light of cross-border recognition developments, Australian TDIF framework and NIST 800-63-3 should be taken into consideration.

Question 3

Question 4

It was commented that a trust mark is a tangible representation of a certification, which informs about the scope of certification, expiration date, applicable assurance levels, class of approval, organization that operates the service, etc. Kantara has a Registry where the Trust Marks are listed.
It was added that in Virginia law, the trust mark on an identity credential provides a warranty of compliance with the rules and policies of a particular identity trust framework in asserting identity and identity attributes. So, a trust mark could have legal value beyond mere marketing branding purposes. Kantara confirmed that in its framework the trust mark has legal implications, if the party does not follow the policies, terms and conditions the trust mark is revoked.
It was commented that the UK government should monitor the use of the trust mark.
A digital and machine readable version of trust mark might be useful, as well as a visible trustmark.

Question 7

It was pointed out that services are certified not organizations.
It was clarified that Kantara's model suggests to integrate a service with a certified SP, but it does not oblige it. Moreover, Kantara's CO_SAC (CO#0320 and CO#0330) addresses the interaction with external services and the risk mitigation measure includes contract arrangements to enforce the implementation of the policies and procedures.

NIST open discussion issues in light of SP 800-63 rev.4.

It was said that Eric provided comments on Liveness test by email and it was added as a comment to the GDoC: "The use if liveliness test and PAD is specifically focused on fraud detection and introduces signification friction to the ID proofing process. As such, this is only appropriate to make mandatory at IAL3. Below IAL3, it should be up to the agency to determine the appropriateness for their process and risk appetite".

Browser not supported