Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 6 Next »

Attendees

Invited Guests: Jim Fenton, David Temoshok, Scott Shorter
Non-voting participants: Andrew Hughes, Roger Quint, Ahmed Naeem
Voting participants: JJ Harkema, Ken Dagg, Martin Smith, Mark Hapner, Richard Wilsher

Staff: Colin and Ruth 

Quorum: 4 of 7. There was quorum

Agenda

  1. Administration:
    1. Roll Call
  2. Discussion: NIST Response to  Kantara Implementation Guidance Reports on 800-63-3


Discussion on NIST Response  (Key discussion items)


  • DT said that NIST appreciates the Kantara work presenting a Trust Framework based on NIST 800-63-3 (A and B criteria), a valuable service for the industry and for the Agencies.
  • RW added that IAWG expectation is a more definite response to guide us in implementing the criteria that we raised our questions about.  He would like to know how Kantara will apply the responses we received, live with the uncertainties or apply our own interpretation?
  • DT clarified that NIST can respond to inquiries from industry or gov agencies, but they cannot add text nor change normative requirements. However, they can clarify terms and text. In addition, NIST is working on implementation resources, FAQ, informative text/material that is not included in the normative text and could help on the implementation, which will be published in the coming year.
  • RW remarked that the Kantara Reports addresses issues on implementing or applying the criteria, for instance cases when it's extremely difficult to meet the criteria, so one of the goals of the Reports is to get some kind of alternative interpretation to the criteria. In relation to requirements for validating evidence, SP 800-63A 4.4.1.3., he has an observation on NIST response  "this requirement would include the comparison of pictures on state driver’s licenses to DMV records or another authoritative source".  He stressed that there are no other authoritative source for comparing a picture on the driver license, other than issuing the DMV, given the provisions of the Driver’s Privacy Protection Act, no such comparison is going to be possible. And Dep. of State doesn’t offer any such facility to match a photo on a passport. If I can’t match a driver license photo with the issuing DMV, is it sufficient to only match the text info on the driver license?.  DT answered that the photo match and biometrics match requirements is in the verification of the id evidence to the applicant in the id proofing process, whether that comparison to the validated id evidence is performed through a biometric or comparison match is required for verification and it binds the applicant to the validated id evidence.  JF added that the purpose of validation evidence  is to make sure that the evidence that was presented is genuine and that the evidence applies to the applicant, thus we use the photo for the latter and not for the former. DT clarified that "validation" is validating the genuineness of the id evidence; "verification" is  verifying the binding of that validated evidence to the applicant. 


  • No labels