2025 Meeting Materials

2025-01

Biometric Samples

Jimmy Jung (via email 14 Jan 2025)

63A#0680, zeroizing the biometric sample –The IAWG discussed but I don’t think we concluded if we should leave in a clearly wrong but workable criteria or correct it (probably by Withdrawing it as not applicable to the identity proofing process).

With regard to zeroizing the biometric sample (63A#0680); I believe the criteria is flawed by virtue of some poor wording from NIST and the fact that the criteria as actually from 63B and dropped into 63A. The poor wording gives us a loophole by virtue of its odd wording, which sort of makes the criteria harmless, although I believe the more rigorous approach would be to withdraw it, as we have other imported 63B criteria.

2025-02

OP_SAC criteria with conflicting numbers were identified

2025-03

63A# proposed new criteria to address the inclusion of ‘Comparable Alternatives’ per 63 rev.3 §5.4.

Discussion started but not concluded. These criteria were developed for and successfully used in an assessment, accepted by the ARB accepted the criteria and the service was Approved. This change would formalize the criteria and make them available to all CSPs. It would also apply a consistent basis by which Comp.Alts could be assessed, rather than them being determined by individual assessors or even proposed/argued by CSPs.

2025-04

Clarifying edits for 63A T5-2

2025-05

63B#0120 – FIPS 140 “verifier"

63B#0120 is taken word for word from 800-63B and requires “verifiers to meet FIPS 140 Level 1 or higher.”    However, “verifiers” generally refers to an organization, typically the CSP.  FIPS 140 is Security Requirements for devices, specifically cryptography.  It seems most likely that the intention was to require cryptographic authenticators that meet FIPS 140.   Should clarity or guidance be added to this criteria?

2025-06

63B#0510 – What comes after 100

The criteria say, “The Verifier SHALL implement a rate-limiting mechanism which protects against online guessing attacks and limits consecutive failed authentication attempts on a single account to no more than 100.” In 800-63-3 this is given as, “Unless otherwise specified in the description of a given authenticator, the verifier SHALL limit consecutive failed authentication attempts on a single account to no more than 100.”

The literal translation of this would be that after 100 failed attempts we would turn off an account and never speak to them again. Another reading would be that we make them reidentify, or we allow them to use a different factor, as described in 63B#1810, or they can reset their password. Naturally, into this ambiguity, CSPs like to insert creative thinking, including delays of between 20 second and a month, progressive delays and other forms of recovery. I would argue most of these exceed the current language and many of these vastly exceed the intention and the spirit of the criteria.

Should the criteria identify what happens after 100 or provide guidance?

2025-07

Validation at Strong

SP 800-63 and Kantara require that “The CSP SHALL validate identity evidence with a process that can achieve the same strength as the evidence presented. For example, if two forms of STRONG identity evidence are presented, each piece of evidence will be validated at a strength of STRONG.(63 4.4.1.3; see also 63A#0200)” This is compared with verification which is only compared to the strongest piece of identity evidence. (63 5.3.1). Validating evidence at STRONG requires having “all personal details and evidence details confirmed as valid by comparison with information held or published by the issuing source or authoritative source(s).” AAMVA allows verification of DLs but there is no issuing, authoritative, or even credible source would validate a Permanent Resident Card, Native American Enhanced Tribal Card, “Enhanced ID cards,” U.S. Military ID, Permanent Resident Card or Native American Tribal Photo Identification Cards? Consequently, calling them SUPERIOR or STRONG isn’t really meaningful, if they cannot be validated that way.

(There are some cool implementations that can read a passport and verify digital signatures, but for PIV, CAC, PIV-I (and TWIC?) you are going to need a card reader, so that mostly leaves out unsupervised. I think validating a digital signature is a fairly strong validation, even if it does not really COMPARE information with an issuing or authoritative source? Things really seemed odd to me, when we came to the conclusion that you would have to consider a US Navy CAC card a “FAIR” piece of evidence, because the DoD doesn’t validate CAC cards. )

For an unsupervised proofing, and working from NIST’s notional strength of evidence page, which TWO items can you compare with information held by an issuing or authoritative source?