[Wg-idassurance] Comments on Service Assessment Criteria

Erik Putrycz erik at apption.com
Fri Oct 9 13:34:41 EDT 2009 

I'm currently writing an assurance level guide for a crown corporation in
Canada. I'm basing my guide on the SAC guide plus some other federal
documents. This is a great document. I'd be curious to know about its
history and background (especially where the standards levels come from).

Here are some comments about the latest document (0.5)

A little technical detail first:
ALX_CO_NUI#060 and ALX_CO_NUI#080 are not used and are not described in the
document, they can probably be removed

On the form:
I spent some time building a excel spreadsheet with all the requirements -
in order to understand the delta between each AL. I found out that some
requirements are similar accross all levels, some have only a security level
inside the requirement that changes, others are the same between ALs.
I would suggest using a single reference for the requirement instead of
repeated ALx_xxx_xxx
Maybe the same could be done for requirements that depend only on a AL
number?
These little details would help the readability IMO.

On the content:

   - CSP should be defined early and in the glossary
   - I have some issues with current AL2 standards:
   - Why does Remote verification requires a Government Picture ID? Wouldn't
      any government ID be enough for verification over Internet or phone?
      - Wouldn't one credential be enough in AL2_ID_RPV#10?
      - AL2_CM_CRD#015 seems rather close to AL3 requirements. For what we
      intend to do with AL2, it seems rather too strong. same for
AL2_CM_CRD#016
      which verifies only the address or phone number - not the identity
      - I have the same issue with AL3 and remote verification with picture
   ID
   - In AL4_ID_IDV#000 shouldn't face-to-face be "In person public
   verification instead"?
   - I haven't figured what all the [Omitted] stand for in the document.
   - Why is there AL1_CM_IDP#10 since AL1 is self asserted? same for
   AL1_CM_CRN#10
   - ALx_CM_CRN#070 shouldn't the FIPS level be the same as the AL?
   - AL3_CM_RVP#060 shouldn't this refer to AL3_CM_CPP#010 instead of
   AL2_CM_CPP#010?

I'm still working on this document, so I might have more comments later...

Thanks

Erik.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://kantarainitiative.org/pipermail/wg-idassurance/attachments/20091009/7624c741/attachment.html

More information about the Wg-idassurance mailing list