- About this, Richard commented that David described “in-person” as the applicant and the CSP being in the same location, and that it was also suggested that there is “remote” where the applicant is in contact there in network connection to somebody on behalf of the CSP. Consequently, it was said that there is a confusion, because there is implied that there are two levels of interaction between the applicant and a human being on the part of the CSP, because now it is said “supervised”. David answered that it is not what he mentioned, the term “supervised” has very special meaning in 63A. He added that “supervised” when we refer to remote identity proofing, which would meet the requirement of in-person identity proofing, but the encounter is remote between the applicant and operator, thus supervised in this context means there is specialized equipment that allows the CSP to be able to view the entirety of the identity proofing session, to be able to check both documents and the entire session to ensure that the applicant is present, they can view the applicant through the entire session and there is no one else present. The specific control in order consider that such a remote process would be equivalent to a “in-person” session, those requirements are covered in SP 800-63A section 188.8.131.52 and are called Supervised Remote Identity Proofing.
- Jim appreciated the input on the terms since it is necessary to be as precise as it is possible. However, he argued that he has some trouble to see something as unsupervised because it kind of implies that it cannot be supervised, and it should not follow into that trap. He considered it is not anything that can be acted on anytime soon.
- Jim also mentioned that you can still have human interaction and still not meet the requirements for supervised because, the difference between “supervised” and “unsupervised” is that “supervised” you may think it is a specific piece of hardware that is conformed be the CSP in order to be proofed. The difference at IAL2 when you are doing proofing that does not involve Supervised Remote Identity Proofing is that interaction could be on the users on PC, they can use a webcam, they may have a voice session if they are interacting with a human agent. He stressed that the difference between “supervised” and “unsupervised” for him is the question of whether there is a location that has a specific purpose made piece of hardware conformed by the CSP, or whether it can be done from an office.
- David stressed that Supervised Remote requires a CSP equipment for the remote applicant.
- Roger said he understands from this perspective that, if the CSP provides the equipment, it does not matter whether if there is a human person reviewing that or not as long as the equipment belongs to the CSP. Jim answered to him that there is a whole set of requirements in order to be able to call it Supervised Identity Proofing and it is not a requirement for IAL2.
- It was asked if the Supervised Remote at IAL2 requires a physical representative of the CSP to be involved during the proofing process. Jim responded that it would not be called like that if it is an IAL2, you can use the same equipment but all of the requirements of 184.108.40.206 do not apply at IAL2, you can use the equipment if it was available and it was convenient for applicants to use that equipment but it is not a requirement at IAL2.
- Richard’s proposed table would have to be changed considering the NIST comments and clarification on it.
Item 4 Scope and Application of ‘Trusteed Referees’
- Jim thinks that Trusted Referee is an accessibility feature, it is wanted to allow somebody who has a certain disability to get Identity proofed. Given that this is Government to Citizen, we need to make identity proofing available to as many people as possible, so people are not being disqualified for their inability to complete a particular process. The Trusted Referee thing, in different situations, it could be more analogous to a personal assistant that is just helping someone to get through the process.
- David pointed out that the idea of Trusted Referee Process is optional to the CSP, it is not a normative requirement. If the option is chosen, then there are some normative requirements. It is intentionally flexible in 5.3.4, there is not overly specified how this would be provided. He continued that, in the circumstances that Richard indicated, it is someone that is known to the applicant to help facilitate the applicant through the application process. If this were an identity proofing operator or supervisor or any term for the CSP that intends to help facilitate applicants into the process it could be that type of process as well, it could be either of both or potentially both.