2023-04-06 Minutes
Attendees:
Voting Participants: Andrew Hughes [Ping], Denny Prvu [RBC], Mark Hapner, Maria Vachino [Calvert Consulting], Martin Smith, Michael Magrath [KUMA], Jimmy Jung [Slandala]
Other Participants: Eric Thompson [Experian], Lorrayne Auld [MITRE], Adam Vergne [ID.me], Ben Piccarreta [ID.me], Jazzmine Dowtin [IDEMIA], Roger Quint, Wes Turbeville [ID.me], Tim Anderson [ID.me]
Staff: Kay Chopard, Lynzie Adams
Proposed Agenda
Discussion:
Revision 4 comment review - Draft Comments, Responses to NIST Questions to be reviewed
Any Other Business
Meeting Notes
IAWG Chair Andrew Hughes opened the meeting. We will continue to defer administrative tasks until after our Rev. 4 comments are submitted.
Discussion:
Revision 4 Comment Review
The group began reviewing comments on the 63A spreadsheet not already reviewed. Commenters that are present are explaining the context of their comment. Comments that were duplicative were discussed and combined (or deleted) to make one comment. When discussions led to extended comments, a new comment was generated.
A discussion occurred around having ‘full control of a digital account’. The group agreed it’s hard to determine what that means. A request for clarity was submitted.
A number of terms were discussed due to lack of clear definitions. Validated address versus address of record; trusted referee versus applicant reference. There was a larger discussion around trusted referee/ applicant reference - ID.me shared they believe NIST is now thinking of trusted referee as an employee of the CSP while applicant reference is somebody on the applicant’s side that can help complete the process. It’s an attempt to bifurcate those two things. Lorrayne agreed there is not a good sense of WHO these are and what those responsibilities are. These are all being requested to provide better clarification and examples of the differences.
We revisited the Experian comments that were flagged last week after discussion around section 5.3.2.1. Eric suggested new language that was replaced in the suggested change and accepted by the group. This was applicable to the IAL1 and IAL2 comment.
The group discussed the feasibility of validating fair evidence. Though some feel fair evidence is rather useless, if it is required then they need to say something (validated or not).
Jimmy raised concern with the ‘collection’ of biometric evidence. Maria feels collection & retention is the only way to compare since we do not use other authoritative source. There was some disagreement on what NIST is even requiring. Jimmy’s issue is with the word ‘collected’ because that means ‘stored’. Maria & Andrew both agreed to removing the word collected. Maria believes NIST should have a requirement for AAMVA. We wouldn’t need to retain if we could do an authoritative match. There is not way to do that in the US with our current infrastructure.
We stopped here and have one final week of comment review prior to the deadline to submit.