IAWG Bi-Weekly Meeting Notes - 2010-04-14

This was not an official meeting due to the fact it did not attain a quorum.  These are unofficial notes from the informal discussion that took place.

1) Roll Call

  • Ken Dagg
  • Sal Khan
  • Frank Villavicencio
  • Shin Adachi
  • Ron Mison
  • John Bradley
  • Bob Pinheiro
  • Colin Soutar
  • David Wasley
  • Joni Brennan (staff)

2) Find a volunteer to take meeting notes

Bob volunteered

3) Approve meeting notes from our last call

4) ID Proofing Work Stream

Review agreement from last week’s call regarding ID Proofing Work Stream

  • Regarding: David Wasley's reply to Shin Adachi
  • Agree that we need to have a charter and capture it
  • If we agree on scope, define how to take work forward

David Wasley:

What are we trying to do with IAF regarding proofing? We don't have use cases. What do we expect RP to get from credential? David described genesis of activity: satisfy 800-63 for online credentials for use by us govt. ID Proofing....seemed to want to verify that name being claimed belongs to claimant not trying to determine which person it is want to generically define credential with name and picture but bank want to mitigate risk if we want to change what the credential is, we need to come with use cases for what is needed

Frank: we started with need to further clarify what is in IAF SAC for identity proofing.

Bob: is proofing only for us govt as RP?

Frank: current definition is too limited, for adopting IAF for IAB need better guideline. We believe we need to further define proofing process/criteria for internationalization desire. What we're looking for is clarification of proofing requirements proofing for RP may be different than requirements than originating IdP

Frank: what was previously discuses: not going to define criteria or process to validate documentation not going to duplicate NASPO effort map NASPO to IAF procedure generic definition of proofing for each LOA for specific jurisdictions, we would include references to profiles for example, for us, just follow existing guidelines generic definitions, followed by profiles.

David: by profile, compliance with IAF plus additional requirements (privacy etc) CSP could increase the number of profiles they comply with Profiles: identity proofing criteria plus other requirements

Frank: in generic definition, part of the effort is to define what elements are needed for proofing....name, picture, etc?

  • Useful tool is use cases
  • Could satisfy criteria at a particular level, but not beyond that
  • No particular set of attributes to define identity; identity definition is contextual
  • Look for baseline, common denominator across jurisdictions; is going to be evolving
    • Locally defined, add annex to generic definition
    • So long as profile has component that identified id proofing, profiles shouldn't just be bound to identity alone

David: attributes...we're going down a slippery slope....what attributes need to be captured?
Frank: attributes out of scope for now
David: what is being proven by id proofing:

  • (a) increase likelihood that at least 1 person exists with claimed name, and applicant is one of those persons
  • (b) some detail to provide a starting point to investigate if something goes wrong
  • (c) have enough info so fraudulent person can't have credential issued to them
  • (d) same person appearing in the future, is it the same person? want to prevent the same credential to be issued to a different person

Out of scope: some likelihood to determine whether a person has already been issued a credential by the same CSP

Issue of renewal or re-issuance what do you do if not yet expired, can use same credential to request re-issuance of credential with same identifier if credential has expired, need to go through same proofing but with a different identifier

Frank: there is the issue of picture id, but then have issue with antecedent data and remote identity proofing other channels for id proofing need to be accounted for. Use notary public to affirm identity? At LOA 3 can do remote proofing, does it need clarification? probably yes

The john smith we're proofing is the same john smith getting the credential not issue the same identifier to multiple people, and RP cannot assume johnsmith123 from CSP 1 is johnsmith123 from CSP 2. All must map to known level of risk; credential issued by some agency that can be trusted.

  • I-9 process?? bad example
  • bank account opening
  • id proofing must anchor with some level of assurance

There are examples of existing entities issuing credentials at LOA4

5) ID Proofing Next Steps

Provided we agree on scope and charter, we should define next steps on how to carry this work forward.

Next Steps:

  • Achieved today's goal of scoping out work stream
  • Seem to be converging on new document on profiles
  • Who will volunteer to take forward as a deliverable?

Two things:

Clarification within IAF of what the proofing documents are? What are profiles? Two deliverables?:

  1. What may be generic id proofing criteria?
  2. Then what are the annexes for specific jurisdictions
  3. How do we take this forward?

6) Status of IAF documents: final versions of the IAF documents have been submitted for final all KI member ballot.

No time for report

7) FORG

Review of updated doc from Rich Furr

8) (As time allows) IAF Process Graphic

Discussion on graphical explanation of IAF accreditation and certification process (attached image courtesy of Paul Madsen) – should we formalize a diagram like this as part of our documentation?

No time for report

9) (As time allows) Any Other Business

No time for report

Adjourn