2022-12-20 Meeting Notes

\uD83D\uDDD3 Date

Dec 20, 2022

\uD83D\uDC65 Participants

Voting Participants

Name	Attending
Noreen Whysel	Y
Bev Corwin	Y
Salvatore D'Agostino	N
Thomas Sullivan	Y
Catherine Schulten	N
Jim StClair	N
Jim Kragh	Y
Simone Alcorn (Unlicensed)	Y

Quorum: Yes

Non-Voting Participants

Name	Attending
Tom Jones	Y

Jeff Brennan and Simone Alcorn also present: Need to verify member status.

Mike McGrath will join the next call. He is a new board member.

Goals

Community Bank Model heads-up
Upcoming NIST meetings
Discuss new draft 80-63-4 ABC

\uD83D\uDDE3 Discussion topics

Meeting convened at 1:08pmEDT

Time	Item	Presenter	Notes
70min	Community Bank Model	Jim Kragh	Agenda: From Jim’s Email: Will have a few comments regarding the Community Bank Model that was discussed at our last meeting (a community based network infrastructure model) that CMS supports and which incorporates HL7 FHIR and surely will embrace the Digital Identity Guidelines (Draft 800-63-4) in 2023. I would like to set the stage and develop an outline for our January and February meeting so our WG can respond to NIST’s call for comments due March 24, 2023. Recommends everyone Review HL7 documentation for data Community Bank on 4 year trial - to discuss next time
	Upcoming NIST Meetings		Upcoming meetings: NIST meeting on Jan 12 to introduce the new version 800.63.4 Jan 24 is with NIST, CARIN alliance and Kantara Then will have a closed 1:1 session with Kantara
	Discuss new draft 80-63-4 ABC		Discuss new draft 80-63-4 ABC New noted in exec summary: SDOH, vulnerable population Tom: would be nice to have a 3rd party summary Jim: look at end of section 5 Tom J: does it mention smartphones? Jim is. Even without facial recognition. Bev: can we do collaborative research and community banking ethics? Jon: connected community network, banking is part of it to help normalize community around helping the underserved. Tom J: we should focus on where NIST asked for help. Pick one or two things. Suggested unattended, remote. Need to define underserved Persona (persona). The how can that person be helped. (may be unsolvable if IAl2 is required). May need biometric presence. Web authentication lets person carry a private key (smartphone or digital fob). Tom A agrees TomS: IMEI (A?) device identifier of phone has to be registered, proofed and authenticated to make a transaction. Bev: IMEI architecture is flawed, would submit that as a concern. Jeff agrees. TomS: helpful to have at least one biometric. Bev: would be hard to enforce. TomS: that’s why it needs to be more than one, not necessarily required. Bev has experience with biometrics for IRC and has had noted issues with vulnerable parties. Just be a choice by identified party which to use. TomJ: It’s not a choice by IAl2. Need to prove you have “secrets” and that you are who you are. TomS: Is phone number enough for evidence of live person? Common in banking to use phone 2FA (Tom: those are known to be weak). Mobile carriers have their own agenda and their own identity software, may be uncooperative. TomS: if feds involved they will fall in line. Tom J: like they did with JimK: we will invite telcos to get involved but won’t exactly left them to be. Jim: without IAl2 (biometric facial) we may need two other identifiers. TomS: Mike mgcgrath may be helpful since he has experience.
	Resources

Adjourned at 2:00pmEDT

✅ Action items

All: Review the NIST 800.63.4 draft and pick one or two items to address from 800.63.4 beginning from line 170
All: Review HL7 for Community Bank Discussion.
Dr Tom: to connect with Mike McGrath