FICAM TFS Program update comments from IAWG members - December 6 2013 meeting notes
Myisha Frasier-MacElveen (Chair), Rich Furr (Vice-Chair), Andrew Hughes (Secretary), Peter McDonald (Symantec), Nathan Faut (KPMG), Cathy (Daon), Scott Shorter (Electrosoft), Bill Braithwaite
- SS: gave overview for 1st eSoft comment
- PM: Submitted a question around what 'Verified' means - Verified is probably distinct from Assurance Level
- SS: For these Verified Attributes - is there any difference between
- PM: Scenario: At LOA2 and LOA3 if a person gives a fingerprint and zip code -> this uniquely identifies an individual. So is the zip code a Verified Attribute or not?
- There's not enough clarity on how this is intended
- SS: Identity Proofing only establishes that the identity is a real person - it does not actually say anything about the person being the person claiming the identity
- Need to either include gradations of 'proof' so that this is not an absolute
- Need to work out how post-registration identity changes should be used to maintain the integrity of the initial proofed identity
- RF: CSPs do a pretty thorough process to establish that the identity information relates to the actual person - either by in person or using antecedent information
- Never 100% perfect but it is well-understood process
- SS: maybe the RPs would be served better by having ID Proofing process metadata -> that gives hints about provenance -> so the RP can assess risks properly
- BB: the 'real person' establishment has been subsumed into the process of 'identity resolution'/ 'identification of an individual'
- SS: general comments on use of more standardized requirements language e.g. 'shall', 'should', etc
- MF: ATOS document p4 discussion - the reference to Financial Institutions exemption. The identity vetting processes depends on the type of account - so hard to deal with LOA equivalence
- PM: Definition of verification - e.g. Name - what is needed for name variants? For some attributes variants might need to be allowable.
- PM: Concern that if CSPs need to become full-blown attribute providers will require significant resources and investment
- PM: discussed Symantec's comment re verified attribute sources
- PM: if a CSP has to go to additional sources to verify attributes then the CSP's financial model changes
- Andrew to consolidate
- Scott to update his comments
- Myisha to send comments to Andrew
- Andrew to send consolidated sheet to Joni for integration into the ARB document