IAWG Ad Hoc Meeting Notes 2015-09-24

Kantara Initiative Identity Assurance Ad Hoc Teleconference

Date and Time

 

Attendees

  • Scott Shorter, Electrosoft
  •  Paul Caskey, InCommon
  •  Lee Aber, ID.me

Kantara Staff

  • Joni Brennan
  • Ruth Puente

 

This call is to gather some verbal discussion, CSPs are all planning to provide input.

Scott's plan is to convert Chi's comments to a matrix now that we've come to consensus on what the proposed requirements mean.

We discussed the possibility of discussing new approaches to identity proofing and other credential related processes at the IAWG.  Need to recommend that the rules include room for innovation.

Scott will write up the suggestion that OMB M-04-04 be revisited, with reference to the bullet about periodically reassessing systems. Possibility to pull in IETF VOT approach.

Paul Caskey has reviewed the emails on the IAWG thread - he's here to learn more about the impact on InCommon.  Need for remote identity proofing for distance education. DOE wants the requirement that the same person who took a test who is the same person who enrolled who is the same person who got the degree.

Joni suggests we need to identify are barriers to implementing the verification process - no open data source for verifying identity documents.

Let's be sure and comment on measuring the different quality of data sources that are available.

Need to stress the ability to innovate in what information is provided.

Need to mention that a limited population will have access to financial accounts to support identity proofing transactions.

Joni mentions a push and pull of the government's priority for not letting in false identities / false positives. That has to be balanced and maybe we can gather data on would the measures in place prevent the delivery of service.  Highlight the goal of flexibility in relying parties to have a threshold acceptance of false positive versus false negatives.

Scott mentioned the bullet regarding frequency of identity proofing, gives the RP some control over how identity proofing takes place.

Paul is concerned about address of record - students have multiple addresses, utility accounts and postal address will change.  

Scott suggests we document the different ways address can be used to mitigate risk.  Joni agrees we should highlight this.

Additional use of address of record can be geolocation verification of applicant's identity, or verification of their jurisdiction as an e-citizen, or for knowledge of their location to send notifications and credentials.

Joni suggests talking with Bjorn from Europoint.  There's a Swedish government data source for CSPs to use.

Could we pull in what happens in the UK.

Scott will reach out to learn more about driver's license regulation and the laws in Canada.

We discussed the technical capabilities for driver's licence agencies to access passport verification services, and compared this with passport scanners of two kinds. One kind reads the name to look up a reservation, whereas the kind used when crossing the US border includes photo capture of the user of the kiosk.

Lee mentioned the Driver's Privacy Protection Act (http://www.accessreports.com/statutes/DPPA1.htm) which limits what information departments of motor vehicles can share.  Neither passport nor driver's license verification is possible at this time.

http://www.accessreports.com/statutes/DPPA1.htm