2024-02-15 Minutes

2024-02-01 Minutes DRAFT 

2024-02-08 Minutes DRAFT 

Kantara Updates

Kay

• KI Strategic Business Planning for the next 3 years

• Expect to be present at the usual conferences in the coming year

Assurance Updates

Lynzie

• Company interested in FAL with 63 3, reengaging with assessor

• Fair amount of new questions/people reaching out

• Discussion:

  • EU-US TTC WG-1 Digital Identity Mapping Exercise Report; feedback due 11:59PM ET, February 29, 2024

Yehoshua

No feedback offered

• Discussion:

  • Interpretation of criteria 

Richard Wilsher

• Review Yehoshua’s draft of criteria (first point regarding multi-factor authentication) - pushed to next week (2/22), per email

• Continue discussion on second criteria question (superior evidence)

  1. Validation of superior evidence needs to be confirmed by personnel and training, therefore “unsupervised” is not possible

  2. Trained personnel does not equal supervised

  3. Per NIST 63A criteria, page 30; the process is not complete until someone reviews it online.  (3rd bullet -second session to conclude the process)

  4. Does this require both trained personnel and technologies? Revert back to the previously discussed combination of strong ‘OR’ options.  In other words, you have to do both? Richard/Eric concur.  

  5. Yehoshua: Trained personnel reviewing evidence doesn’t automatically mean unsupervised proofing and remote.  It’s more of a hybrid situation.

  6. Look at Table 5-2: 

     1. Strong criteria issues - There is a significant difference between choices 1 and 2, and choice 3.

     2. Trained personnel supplementing the appropriate technologies is not necessarily better than just appropriate technologies.

     3. This was done to allow for a slightly lower bar (if you can’t fully automate, you can supplement with trained personnel)

     4. This is difficult for assessors to utilize in terms of interpreting this description of superior evidence.

        1. Richard - If it is unsupervised, it should be complete in a single session or require an enrollment code if there is a break to ensure the correct person is coming.  The text seems to suggest that a second session is needed to bind everything back to the applicant (trained personnel may be a “backroom” activity after the unsupervised portion).

     5. Eric-references a chip in a passport, this is read in an unsupervised session, but is later confirmed by genuine trained personnel (a requirement that is not adding value)

     6. There’s a difference between trained personnel reviewing evidence and an operator that is supervising.  There is potentially no benefit with trained personnel supplementing the technologies to also review the evidence.  The last conformance criteria shows this with the allowance of trained personnel and appropriate technologies (if you can’t do it programmatically, you can have a person do it).  As it is written, it requires you to do both.

     7. Richard-The original proposition was to use a superior single piece of evidence in an unsupervised processed, and 63A, Table 5-2 does not seem to permit this.  The concern is that if there is an unsupervised process with a single piece of superior evidence, how does a trained person get involved?

  7. Richard notes that CSPs often employ comparable alternatives (accepted by ARB).  Should we make the comparable alternative criteria as part of the formal body of criteria? 

     1. Yehoshua-in our best interest to figure out how to make this happen to ensure consistency and transparency

     2. Action: Richard re-present comparable alternative criteria to IAWG with clean examples.

     3. Lynzie notes it is also time for a meeting with IAWG leadership, assessors, and the ARB, and this could be discussed there.

        1. Add to ARB/IAWG leadership/Assessor meeting agenda