[WG-IDAssurance] Point in Time vs. Period of Time Audit

John Bradley ve7jtb at ve7jtb.com
Wed Jan 18 14:04:43 EST 2012 

That is a good point, however we can't make it circular and allow new entrants.

Verizon couldn't issue any actual LoA 3 credentials until after they were certified.  So it would need to be credentials of the sort they are proposing to be certified against.

Again new entrants probably are not going to have large numbers of issued credentials until they are useful for accessing services by being certified.

John B.
On 2012-01-18, at 3:42 PM, Stuntz, Joseph (US - Arlington) wrote:

> One other comment I would add for the group to consider is the LOA of the required minimums.  Would 30 LOA 1 credentials be enough if a service wanted to be certified at LOA 1-3?   The criteria could be general and say examples need to be from all LOAs that the service is looking to be certified for, or the criteria could set specific numbers of each LOA? 
>  
> Thanks,
> Joe
>  
> Joseph G. Stuntz
> ERS Consultant | Technology Risk | Identity Management
> Deloitte & Touche LLP
> 1919 N. Lynn Street, Arlington, VA 22209-1742
> Tel: +1 571-882-5435
> JSTUNTZ at Deloitte.com | www.Deloitte.com
>  
>  
>  
>  
> From: wg-idassurance-bounces at kantarainitiative.org [mailto:wg-idassurance-bounces at kantarainitiative.org] On Behalf Of Frazier-mcelveen, Myisha (US - Arlington)
> Sent: Wednesday, January 18, 2012 12:06 PM
> To: IA WG (wg-idassurance at kantarainitiative.org)
> Subject: [WG-IDAssurance] Point in Time vs. Period of Time Audit
>  
> All,
>  
> As discussed on the IAWG call today, we acknowledge that there would be IDPs who would not have been in production for an extended period of time prior to the audit (e.g. new services).  As a result, we need to identify parameters within the IAF that discusses what is required for the point in time audit.   Given that, we agreed to the following principles:
>  
> 1.       The requirements of the Web Trust Audit are too stringent for our IAF purposes and that we would want to be more lenient. 
> 2.       We need to identify specific criteria / language that can be referenced for the purposes of the audit.
>  
> As a result we came to the following principles for the language:
>  
> 1.       An absolute minimum of 30 credential issuances
> 2.       Ideally 5 revocations
> 3.       In the event that the IDP did not have the 5 revocations, some language that would facilitate their ability to comply with the audit but prove necessary requirements on the revocation side. 
>  
> Given these principles, how best should we structure the language regarding this.  One alternative is:
>  
> “Must have at least 30 issuances and 5 revocations or the ability for the revocations to be assessed against practices and procedures”
>  
> Please provide comments / thoughts / suggested edits, etc.
>  
> Let the dart throwing begin!
>  
>  
> Sincerely,
> Myisha
>  
> Myisha Frazier-McElveen
> Manager | Technology Risk
> Deloitte and Touche LLP
> 1919 N. Lynn Street Arlington, VA 22209
> Tel/Direct: +571 -814-6619 | Fax: +1 855-223-1611 | Mobile: +1 571-814-0911
> mfraziermcelveen at deloitte.com  | www.deloitte.com  
>  
> Please consider the environment before printing.
>  
>  
> 
> This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message.
> 
> Any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited.
> v.E.1
>  
>  
>  
>  
> _______________________________________________
> WG-IDAssurance mailing list
> WG-IDAssurance at kantarainitiative.org
> http://kantarainitiative.org/mailman/listinfo/wg-idassurance

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://kantarainitiative.org/pipermail/wg-idassurance/attachments/20120118/89003414/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4767 bytes
Desc: not available
Url : http://kantarainitiative.org/pipermail/wg-idassurance/attachments/20120118/89003414/attachment-0001.bin

More information about the WG-IDAssurance mailing list