IAF Review Comments - Close Jan 22

Updates:

All Documents

Item 1

We suggest that inclusion of the document hierarchy

(http://kantarainitiative.org/pipermail/wg-idassurance/2009-September/000081.html),

or derived material, along with the commentary similar to the Kantara response of 8 December 2009 to the Open Identity Framework Joint Steering Committee (OIF JSC), would greatly enhance the distribution and communication of the document set for broader adoption. In particular, the hierarchical nature of the document set is described very well in the response to OIF JSC, and the various documents comprising the primary base reference set and the secondary set, and their purpose, relative to Assessors and Providers, is discussed. We believe that a clearer explanation of the document set in a more self-consistent manner would aid in the readability and communication of the document set, and would help to define a structure similar to an ISO/IEC multi-part standard or the like (e.g., ISO/IEC 15408, Common Criteria for Information Technology Security Evaluation). Furthermore, we believe that such an explanation of the segregation of responsibilities, as defined by the complete document set would help readers and implementers to understand the various responsibilities and accountability within the Accreditation process - for example, it is not clear that the Assurance Assessment Scheme should be part of the primary base reference document set, but instead could potentially be in the secondary document set, and/or administered outside of the IAWG.

Discussion: It seems like a description of the document would help something in addition to the overview.  We could include the graphical representation here. It a comment around describing the document set.  It's a helpful change but not substantive.  OIF JSC content is suggested as a good start. 

Volunteer: IAWG participant to lead the inclusion of this comment in to the Overview: Colin Soutar (CSC)

Item 2

It would be instructive to observe that some initiatives, such as TSCP (Transglobal Secure Collaboration Program - http://www.tscp.org/), apply more rigorous infrastructure requirements and rules for participants than are generally set forth, due to the business rules and needs of the participants. This would illustrate the goal of defining a full range of requirements, starting at a minimum set of infrastructure at lower levels of assurance which can be graduated to meet more stringent, higher levels of assurance to meet specific business requirements. In particular, the specific differences in identity proofing in various initiatives could be further described to discuss the relationship with Identity Assurance, and, similarly, some discussion of how the the varying privacy regulations define instantiation-specific privacy profiles would help, as was recently discussed relative to the ICAM submission.

Discussion: observe in the overview that we have started with the 4 levels but there are many other factors will arise as the world gets more experienced with this topic. We're starting based on NIST and the doc set will continue to evolve.  Resolution of comment belongs in overview.

Volunteer: Dave Wasley to coordinate with Colin Soutar to incorporate this comment in to the Overview.

Item 3

We believe that additional discussion of related identity initiatives that have developed over the last couple of years would greatly help to provide context for the Kantara Initiative IAF, as well as resolve (or mitigate, at least) definition ambiguities. Some examples include:

There has been much ongoing discussion around the Levels of Assurance defined in NIST SP 800-63 - a more recent commentary on this document would enhance the IAF document set. Also, with the recent developments of the ANSI Identity Theft Prevention and Identity Management Standards Panel ( www.ansi.org/idsp); the publication of ICAM Part 1; the ANSI compendium of standards a few years ago

http://publicaa.ansi.org/site/apdl/ID%20Theft%20Prevention%20and%20ID%20Management%20Standards%20Pa/IDSP%20Final%20Report%20-%20Volume%20II%20Standards%20Inventory.pdf

and the ongoing work of the ITU-T – should these initiatives be recognized as, at a minimum, orientation or reference material that readers should be familiar with? Also, the bibliography of the NSTAC Identity report references a range of discussions relating to some of the policy considerations recently raised in various Kantara fora.

Lastly, as Kantara evolves towards being both a technical specifications developer and an accreditation organization, it may be useful to review some of the implementation and documentation methodology used by the likes of the Software Engineering Institute, or under the auspices of the Common Criteria Scheme. The requirements for training, documentation, data, configuration management, reporting, audit etc., in such programs mirror those sought by Kantara to not only demonstrate system functionality, but also to provide the organizational tools to support continued success.

Discussion:

Volunteer:

Identity Assurance Framework - Overview

Item 1

There is a gap between the IAF and the SAC regards Identity Proofing. There is no policy framework to overlay SAC IdProofing such as found in the NZ EOI standard draft V2 e.g. on what constitutes 'a government issued ID'.

Discussion: We need to dig deeper on this comment and perhaps work with P3WG to move this forward.

Volunteer: None - Bring to P3WG for further discussion.

Identity Assurance Framework - Glossary

Item 1

Suggest the definition of assurance levels carry context; a statement such as "Very high confidence in the asserted identity’s validity" is is not meaningful otherwise.

The definition of "attack" is too narrow.

In the definition of "attribute" suggest replacing "individual" with "entity." Similar issue for definition of "identification." Otherwise the definition is not broad enough for group identification.

Discussion: Discussion occurred around the definitions. Suggestion intro of context for why the glossary has been developed. Argument to put the context in to the Overview. (work to define in and out of scope - while we consider XYZ to be important XYZ is not the focus at this time.)

Volunteer: Colin Soutar to take the lead in incorporating the context of the definitions in to the overview. Additionally, locate volunteer Editor to reference where we have derived our definitions from.

Item 2

Where terms are generic, effort should be made to use an existing definition, e.g. ITU Lexicon and show the provenance of such definitions.

The IAF Glossary could be reconsidered to acknowledge the definitions used elsewhere that are gaining traction as authoritative sources, in SDO's such as ISO/IEC and ITU-T. As an example, the approach used in Appendix C of the NSTAC Identity Report might be a useful format to work from - and add the Kantara-specific definitions or exceptions. This reconciliation of terms and definitions would also be of value for harmonization across the Kantara Working Groups.

Discussion: We don't fee ready to address this definition. IAWG will review this comment in the next cycle. Table for next release.

Volunteer: n/a

Identity Assurance Framework - Service Assessment Criteria

Item 1

The doc refers to four different types of identity proofing, but does not give clarity to what the types are.

• In-person verification
• Remote verification
• Current relationship verification
• Affiliation verification

Better definitions for each would be beneficial, especially for current relationship and affiliation. Those two are currently defined using their titles. It is not clear what the differences are between current relationship and affiliation. For example is an employment a relationship or an affiliation.

Discussion: We need to drill in to NIST and the different country interpertations and defining ID-Proofing

Volunteer: Actionable step to try and sync up with the P3WG group to move this discussion forward jointly. (Proofing requirements specific to a jurisdiction).

Specific Commentaries Received

Comment 1

Brett McDowell
Thu Dec 10 09:20:04 EST 2009

Per the Operating Procedures, all comments received on a Draft Recommendation during the 45-day review period are to be shared with both LC and the Work Group who published the document. These are being sent automatically to the LC list and should be forwarded to the WG each time. Below is a copy of the first such comment.

Brett McDowell

Begin forwarded message:

From: apache at kantarainitiative.org (Apache)
Date: December 9, 2009 5:59:50 PM EST
To: lc at kantarainitiative.org
Subject: KI-LC KI Document Comment Submission

Form details below.
Document: Identity Assurance Framework - Glossary
Comments:

I suggest the definition of assurance levels carry context;
a statement such as "Very high confidence in the asserted identity’s
validity" is is not meaningful otherwise.

The definition of "attack" is too narrow. In the definition of "attribute" suggest replacing "individual" with "entity." Similar issue for definition of "identification." Otherwise the definition is not broad enough for group identification.

_______________________________________________

Comment 2

Joni Brennan
Thu Dec 17 23:19:25 EST 2009

Hello, This note is to notify the LC and IAWG that the 2 comments below were received via the Document Comment Submission form <http://contact.kantarainitiative.org/comment/>.

Please note that for privacy reasons we have omitted the submitters names and organizations. If you would like further information please contact the staffatkantarainitiativedotorg.

• Selected Document: Identity Assurance Framework - Overview Comments: There is a gap between the IAF and the SAC regards Identity Proofing. There is no policy framework to overlay SAC IdProofing such as found in the NZ EOI standard draft V2 e.g. on what constitutes 'a government issued ID'

• Selected Document: Identity Assurance Framework - Glossary Comments: Where terms are generic, effort should be made to use an existing definition, e.g. ITU Lexicon and show the provenance of such definitions.

cheers - Joni

_______________________________________________

Comment 3

Joni Brennan
Tue Jan 5 10:18:47 EST 2010

Hello, The staff has received the following comment for the consideration of the Id Assurance WG. Please note that staff strips the submitter name and PII prior to wider distribution as a measure to protect privacy. - Cheers

Comments: In response to the call for comments on the Identity Assurance Framework: Overview; Glossary; Assurance Levels; and Service Assessment Criteria documents;

These general comments also apply to the Identity Assurance Framework: Assessor Qualifications and Requirements; and Assurance Assessment Scheme documents.

We believe that the Kantara Identity Assurance Framework (IAF) is an extremely important body of work that will provide objective criteria, further to definitions in NIST SP 800-63 and other documents, which can be used to accredit Assessors and Providers of Identity/Credential Services at the appropriate Level(s) of Assurance. In light of the wide range of international activity relating to Identity and Privacy Assurance standards and government and industry initiatives that has materialized over the last couple of years; as well as the increasing focus of attention on the Kantara Initiative and its intended future interaction with Standards Development Organizations, such as ISO/IEC and ITU-T, we respectfully suggest that the following considerations would enhance the current document set that comprises the IAF.

1. We suggest that inclusion of the document hierarchy

(http://kantarainitiative.org/pipermail/wg-idassurance/2009-September/000081.html),

or derived material, along with the commentary similar to the Kantara response of 8 December 2009 to the Open Identity Framework Joint Steering Committee (OIF JSC), would greatly enhance the distribution and communication of the document set for broader adoption. In particular, the hierarchical nature of the document set is described very well in the response to OIF JSC, and the various documents comprising the primary base reference set and the secondary set, and their purpose, relative to Assessors and Providers, is discussed. We believe that a clearer explanation of the document set in a more self-consistent manner would aid in the readability and communication of the document set, and would help to define a structure similar to an ISO/IEC multi-part standard or the like (e.g., ISO/IEC 15408, Common Criteria for Information Technology Security Evaluation). Furthermore, we believe that such an explanation of the segregation of responsibilities, as defined by the complete document set would help readers and implementers to understand the various responsibilities and accountability within the Accreditation process - for example, it is not clear that the Assurance Assessment Scheme should be part of the primary base reference document set, but instead could potentially be in the secondary document set, and/or administered outside of the IAWG.

2. It would be instructive to observe that some initiatives, such as TSCP (Transglobal Secure Collaboration Program - http://www.tscp.org/), apply more rigorous infrastructure requirements and rules for participants than are generally set forth, due to the business rules and needs of the participants. This would illustrate the goal of defining a full range of requirements, starting at a minimum set of infrastructure at lower levels of assurance which can be graduated to meet more stringent, higher levels of assurance to meet specific business requirements. In particular, the specific differences in identity proofing in various initiatives could be further described to discuss the relationship with Identity Assurance, and, similarly, some discussion of how the the varying privacy regulations define instantiation-specific privacy profiles would help, as was recently discussed relative to the ICAM submission.

3. We believe that additional discussion of related identity initiatives that have developed over the last couple of years would greatly help to provide context for the Kantara Initiative IAF, as well as resolve (or mitigate, at least) definition ambiguities. Some examples include:

There has been much ongoing discussion around the Levels of Assurance defined in NIST SP 800-63 - a more recent commentary on this document would enhance the IAF document set. Also, with the recent developments of the ANSI Identity Theft Prevention and Identity Management Standards Panel ( www.ansi.org/idsp); the publication of ICAM Part 1; the ANSI compendium of standards a few years ago

http://publicaa.ansi.org/sites/apdl/ID%20Theft%20Prevention%20and%20ID%20Management%20Standards%20Pa/IDSP%20Final%20Report%20-%20Volume%20II%20Standards%20Inventory.pdf

and the ongoing work of the ITU-T – should these initiatives be recognized as, at a minimum, orientation or reference material that readers should be familiar with? Also, the bibliography of the NSTAC Identity report references a range of discussions relating to some of the policy considerations recently raised in various Kantara fora. The IAF Glossary could be reconsidered to acknowledge the definitions used elsewhere that are gaining traction as authoritative sources, in SDO's such as ISO/IEC and ITU-T. As an example, the approach used in Appendix C of the NSTAC Identity Report might be a useful format to work from - and add the Kantara-specific definitions or exceptions. This reconciliation of terms and definitions would also be of value for harmonization across the Kantara Working Groups.

Lastly, as Kantara evolves towards being both a technical specifications developer and an accreditation organization, it may be useful to review some of the implementation and documentation methodology used by the likes of the Software Engineering Institute, or under the auspices of the Common Criteria Scheme. The requirements for training, documentation, data, configuration management, reporting, audit etc., in such programs mirror those sought by Kantara to not only demonstrate system functionality, but also to provide the organizational tools to support continued success.

_______________________________________________

Comment 4

Joni Brennan
Jan 14, 2010 at 11:52 AM

Please find below a comment submitted to the IAF SAC via our document comment submission form. Please note: we have stripped the personal data from the message for privacy reasons.

------ Forwarded message --------

Comments: The doc refers to four different types of identity proofing, but does not give clarity to what the types are.

• In-person verification
• Remote verification
• Current relationship verificaiton
• Affiliation verification

Better definitions for each would be beneficial, especially for current relationship and affiliation. Those two are currently defined using their titles. It is not clear what the differences are between current relationship and affiliation. For example is an employment a relationship or an affiliation.
_______________________________________________

Document update Tasklist