[Wg-idassurance] Comments on Service Assessment Criteria

Erik Putrycz erik at apption.com
Tue Oct 13 11:07:01 EDT 2009 

Richard,

Thanks for your insights on the document, I indeed did miss some important
content from the current draft.
My greatest concern is still with the ID proofing process, AL2 is IMO too
demanding and the ID proofing process for AL3 might not be applicable in
Canada.

On Sat, Oct 10, 2009 at 1:15 AM, Richard G. WILSHER (Zygma)
<RGW at zygma.biz>wrote:

>
>  A little technical detail first:
> ALX_CO_NUI#060 and ALX_CO_NUI#080 are not used and are not described in the
> document, they can probably be removed
>
> *RGW – Actually, they ARE described, as ‘Withdrawn’, the explanation for
> which is given on p8, lines 199/200.  This is an important consideration in
> allowing for back-ward compatibility from the implementer’s perspective.
>
It did seem to me that this document has a different title and number than
the previous ones. Maybe they could be in a specific section on the
compatibility with previous standards?

>
> I would suggest using a single reference for the requirement instead of
> repeated ALx_xxx_xxx
>
> *RGW - This has been considered in the past but rejected because, as
> presently structured, a complete set of criteria can be excised in a single
> block of text, whereas using a single instance for criteria which do not
> change requires the user to know which criteria these are.
>
I guess my issue here is that [ommitted] and bold don't reflect all the
changes from one AL to another. Maybe some tables similar to the compliance
tables could reflect the detailed changes from one level to another?


>
>
>    - I have some issues with current AL2 standards:
>       - Why does Remote verification requires a Government Picture ID?
>       Wouldn't any government ID be enough for verification over Internet or
>       phone?
>
> *RGW – I think this is reflective of FIPS 201, but this is an unverified
> statement.
>
I really have an issue on this one because in Canada the most common ID
requested for secure operations (SIN number) is not a Picture ID.

thanks

Erik.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://kantarainitiative.org/pipermail/wg-idassurance/attachments/20091013/5fa83df5/attachment-0001.html

More information about the Wg-idassurance mailing list