Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

FICAM TFS Program update comments from IAWG members - December 6 2013 meeting notes

Myisha Frasier-MacElveen (Chair), Rich Furr (Vice-Chair), Andrew Hughes (Secretary), Peter McDonald (Symantec), Nathan Faut (KPMG), Cathy (Daon), Scott Shorter (Electrosoft), Bill Braithwaite 

 

  • SS: gave overview for 1st eSoft comment 
  • PM: Submitted a question around what 'Verified' means - Verified is probably distinct from Assurance Level 
  • SS: For these Verified Attributes - is there any difference between 
  • PM: Scenario: At LOA2 and LOA3 if a person gives a fingerprint and zip code -> this uniquely identifies an individual. So is the zip code a Verified Attribute or not?
    • There's not enough clarity on how this is intended
  • SS: Identity Proofing only establishes that the identity is a real person - it does not actually say anything about the person being the person claiming the identity
    • Need to either include gradations of 'proof' so that this is not an absolute
    • Need to work out how post-registration identity changes should be used to maintain the integrity of the initial proofed identity
  • RF: CSPs do a pretty thorough process to establish that the identity information relates to the actual person - either by in person or using antecedent information
    • Never 100% perfect but it is well-understood process
  • SS: maybe the RPs would be served better by having ID Proofing process metadata -> that gives hints about provenance -> so the RP can assess risks properly
  • BB: the 'real person' establishment has been subsumed into the process of 'identity resolution'/ 'identification of an individual'
  • SS: general comments on use of more standardized requirements language e.g. 'shall', 'should', etc
  • MF: ATOS document p4 discussion - the reference to Financial Institutions exemption. The identity vetting processes depends on the type of account - so hard to deal with LOA equivalence
  • PM: Definition of verification - e.g. Name - what is needed for name variants? For some attributes variants might need to be allowable.
  • PM: Concern that if CSPs need to become full-blown attribute providers will require significant resources and investment
  • PM: discussed Symantec's comment re verified attribute sources
  • PM: if a CSP has to go to additional sources to verify attributes then the CSP's financial model changes

Logistics: 

  • Andrew to consolidate
  • Scott to update his comments
  • Myisha to send comments to Andrew
  • Andrew to send consolidated sheet to Joni for integration into the ARB document

AOB

 

Carry-forward Items

 

Attachments

...