[Wg-idassurance] Comments on Service Assessment Criteria
erik at apption.com
Fri Oct 9 13:34:41 EDT 2009
I'm currently writing an assurance level guide for a crown corporation in
Canada. I'm basing my guide on the SAC guide plus some other federal
documents. This is a great document. I'd be curious to know about its
history and background (especially where the standards levels come from).
Here are some comments about the latest document (0.5)
A little technical detail first:
ALX_CO_NUI#060 and ALX_CO_NUI#080 are not used and are not described in the
document, they can probably be removed
On the form:
I spent some time building a excel spreadsheet with all the requirements -
in order to understand the delta between each AL. I found out that some
requirements are similar accross all levels, some have only a security level
inside the requirement that changes, others are the same between ALs.
I would suggest using a single reference for the requirement instead of
Maybe the same could be done for requirements that depend only on a AL
These little details would help the readability IMO.
On the content:
- CSP should be defined early and in the glossary
- I have some issues with current AL2 standards:
- Why does Remote verification requires a Government Picture ID? Wouldn't
any government ID be enough for verification over Internet or phone?
- Wouldn't one credential be enough in AL2_ID_RPV#10?
- AL2_CM_CRD#015 seems rather close to AL3 requirements. For what we
intend to do with AL2, it seems rather too strong. same for
which verifies only the address or phone number - not the identity
- I have the same issue with AL3 and remote verification with picture
- In AL4_ID_IDV#000 shouldn't face-to-face be "In person public
- I haven't figured what all the [Omitted] stand for in the document.
- Why is there AL1_CM_IDP#10 since AL1 is self asserted? same for
- ALx_CM_CRN#070 shouldn't the FIPS level be the same as the AL?
- AL3_CM_RVP#060 shouldn't this refer to AL3_CM_CPP#010 instead of
I'm still working on this document, so I might have more comments later...
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Wg-idassurance