Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

Digital Identity Guidelines: Public Comment Period

January 30 - March 31, 2017

NIST DRAFT of SP 800-63-3 https://pages.nist.gov/800-63-3/

 

IAWG started to discuss the latest NIST release of 800-63 on February 9, 2017.

Deadline is March 31, but NIST would of course prefer comments sooner than that.  IAWG is coordinating the creation of the comments, with ARB invited to participate as they see fit.

Has anyone not had a chance to review the document?

Andrew asks what the IAWG comment process should be?  Ken responds that discussion in the next four weeks would be best, so that we can get comments in at least a week before March 31.  Switching back to weekly meetings to accomplish that.

What level of comments should we be addressing - typos addressed by the organization?   RGW suggests that we don't want to spend our time on typos or grammar.   Ken agrees, we need meaty comments.  Comments regarding the cost and impact of the changes the the CSPs.

Ken asked when the CSPs would be expected to comply.  FICAM had no response, Paul Grassi indicated that agencies should comply with NIST publications within 12 months.  In order to meet a 12 month timeframe, Kantara would need to update the framework within 7 months.

Kolin Whitley - ID proofing strategies were put in place as part of multiyear contracts, how might that impact the component given that the new guidelines are significantly different.

Russ mentions that requirements for authoritative data sources, chasing identity documents to their source. The federal and state governments have failed to provide a verification service.  TFS work on standard operating procedures, the implication was that there were changes underway to make things easier for agencies to understand.  It's more unrealistic if agencies must grapple with new standard procedures from TFS at the same time that 800-63-3 hits.

Andrew points out that if we model the criteria to 800-63 - does it improve our ability to use the Kantara criteria with other international schemes?  Will we need to do a level of abstraction so that we can conform with Canadian model and 800-63?

One problem with 800-63 has been lack of flexibility in the face of considerable CSP innovation in how services are provided, we shouldn't try to stand in the way.

Comment we will want to work on based on discussion with Kolin Whitley, the simplification of the levels from 4 to 3 may have made it more difficult to obtain the levels. Removes the lower cost category and increased the cost to comply. 

The different numbers of levels in different countries may result in interoperability issues between the jurisdictions.

IAWG Meeting Minutes 2017-02-09

 

Overview of Experian position on NIST 800-63-3.pdf

  • No labels