Group reminder: February 22,EU-US TTC WG-1 (Working Group 1) Webinar: Unpacking the Digital Identity Mapping Results (registration details coming soon - please check back).
Discussion:
EU-US TTC WG-1 Digital Identity Mapping Exercise Report; feedback due 11:59PM ET, February 29, 2024
Review Yehoshua’s draft of criteria (first point regarding multi-factor authentication) - pushed to next week (2/22), per email
Continue discussion on second criteria question (superior evidence)
Validation of superior evidence needs to be confirmed by personnel and training, therefore “unsupervised” is not possible
Trained personnel does not equal supervised
Per NIST 63A criteria, page 30; the process is not complete until someone reviews it online. (3rd bullet -second session to conclude the process)
Does this require both trained personnel and technologies? Revert back to the previously discussed combination of strong ‘OR’ options. In other words, you have to do both? Richard/Eric concur.
Yehoshua: Trained personnel reviewing evidence doesn’t automatically mean unsupervised proofing and remote. It’s more of a hybrid situation.
Strong criteria issues - There is a significant difference between choices 1 and 2, and choice 3.
Trained personnel supplementing the appropriate technologies is not necessarily better than just appropriate technologies.
This was done to allow for a slightly lower bar (if you can’t fully automate, you can supplement with trained personnel)
This is difficult for assessors to utilize in terms of interpreting this description of superior evidence.
Richard - If it is unsupervised, it should be complete in a single session or require an enrollment code if there is a break to ensure the correct person is coming. The text seems to suggest that a second session is needed to bind everything back to the applicant (trained personnel may be a “backroom” activity after the unsupervised portion).
Eric-references a chip in a passport, this is read in an unsupervised session, but is later confirmed by genuine trained personnel (a requirement that is not adding value)
There’s a difference between trained personnel reviewing evidence and an operator that is supervising. There is potentially no benefit with trained personnel supplementing the technologies to also review the evidence. The last conformance criteria shows this with the allowance of trained personnel and appropriate technologies (if you can’t do it programmatically, you can have a person do it). As it is written, it requires you to do both.
Richard-The original proposition was to use a superior single piece of evidence in an unsupervised processed, and 63A, Table 5-2 does not seem to permit this. The concern is that if there is an unsupervised process with a single piece of superior evidence, how does a trained person get involved?
Richard notes that CSPs often employ comparable alternatives (accepted by ARB). Should we make the comparable alternative criteria as part of the formal body of criteria?
Yehoshua-in our best interest to figure out how to make this happen to ensure consistency and transparency
Action: Richard re-present comparable alternative criteria to IAWG with clean examples.
Lynzie notes it is also time for a meeting with IAWG leadership, assessors, and the ARB, and this could be discussed there.
Add to ARB/IAWG leadership/Assessor meeting agenda
✅ Open Action items
Richard: re-present comparable alternative criteria to IAWG with clean examples.
Action items may be created inline on any page. This block shows all open action items from all meeting notes.
Description
Due date
Assignee
Task appears on
Andrew: Andrew will prepare a cover letter thanking them for the opportunity to provide feedback, and ship that off prior to deadline. Will share the letter with IAWG after.