2023-03-23 Minutes

Attendees:

Voting Participants: Richard Wilsher [Zygma], Andrew Hughes [Ping], Denny Prvu [RBC], Mark Hapner, Jimmy Jung [Slandala], Maria Vachino [Calvert Consulting], Mark King, Martin Smith
Other Participants: Eric Thompson [Experian], Angela Rey, Justin Hyde [LexisNexis Risk], Lisa Balzereit [USPS], Mike Horkey [NextGenID]
Staff: Kay Chopard, Lynzie Adams

Proposed Agenda

  1.  Discussion: 

  2. Any Other Business

Meeting Notes 

IAWG Chair Andrew Hughes opened the meeting.

Mark King shared the Draft OECD Recommendation on the Governance of Digital Identity public consultation and asked if anyone was planning to submit. It was new to most folks. If IAWG members want to work on submitting an IAWG response, we can do that. *Timing will not allow us to do that: “sending written comments in English or French to eleaders@oecd.org until 31st March 2023.”*

Discussion:

Revision 4

Andrew passed the meeting over to Richard to continue leading the review of our comments. Those who submitted comments explained the rationale and engaged in discussion where warranted. Comments that had a similar theme or point were discussed and compiled for conciseness. As comments were accepted they are denoted in green as ones that will be included in the final Kantara comment package. As comments came up through discussion they were added to the list and noted as a comment# Kantara for record keeping purposes.

NIST extended the Revision 4 comment period to April 14. We will continue holding our meetings in this manner, 90 minute review sessions, through April 13. Lynzie will use the afternoon of April 13 and all day April 14 to prepare the comments and submit to NIST.

Reviewed the current list of submitted comments. Comments can be accessed here: SP800-63-4-suite-ipd-comments - IAWG 2023-04-13.xlsx

There was a lengthy discussion on if enrollment code verification belonged in the identity verification methods section. Maria and Jimmy had separate outlooks on the use of enrollment codes. Revisited again in 5.1.6 and acknowledged it was not adequate. Comment was added to request they revisit section. There was further discussion on enrollment code times within 5.1.6 #4 and how they seemed quite arbitrary. Mike Horkey felt these are long time frames, but Maria feels like they are short. Delivery should be immediate, but use should have some leniency. Mark King noted in rural areas immediate delivery is unreasonable. The group edited the comment according to the discussion. Andrew will add a comment in 63B to address the tie-in with temporary authenticators.

Another discussion occurred around the term validated [addresses]. Maria, Eric, and Richard all had different opinions on the definition of available. A comment was added that it needs to be more explicit.

Group discussed 20 bits of entropy. Appears a six digit number is not enough entropy to meet the requirement. Six digit code will always have the same entropy - and it’s not 20 bits. Alphanumeric is possible?

A final discussion on section 5.1.8. Requirements for Use of Biometrics. Maria believes this section needs to be explicit on what NIST mean. Racial background is not scientific - though skin tone is. Gender is subjective, though sex is not. We need the scientific terms for biometrics. Andrew suggested referring the EO, though Maria disagreed. This is a scientific component so it needs scientific criteria (skin tone, age, and sex).

The discussion will pick up next week as we continue the review of the submitted comments.

Any Other Business:

IAWG leadership keeps an action item list.
All IAWG participants should be aware that the spreadsheet exists and that it lists everything we think the IAWG is working on or planning to work on. Please feel free to review it and correct it if needed - it is not our intent to overlook something!