Voting Participants: Mark King, Mark Hapner, Martin Smith, Ken Dagg.
Non-voting participants: Jimmy Jung, Roger Quint, Pete Palmer
Guests: Jeff Tackes, USPS
Staff: Colin Wallis, Ruth Puente
Apologies from Eric Thompson and Richard Wilsher.
Quorum: 3 out of 5. There was quorum.
c.Minutes Approval 2021-04-15 DRAFT Minutes
a. Draft responses to the UK questions.
b. Heads up on UK DCMS certification documents
c. NIST open discussion issues in light of SP 800-63 rev.4.
d. Heads up on RFI about mDL.
3. Any Other Business
Martin suggested an edit and the minutes were amended accordingly. 2021-04-15 Minutes were approved by motion. Moved: Mark K. Seconded: Mark Hapner. Unanimous Approval.
Response to UK DCMS questions
- Ken walked the group through the final comments available HERE
- Deadline to provide responses: April 30th.
- It was agreed that the Trust Mark should allow variations that are easily distinguishable.
- It was added that a Trust Mark is a mark of conformity according to IS17065 4.1.3 which says "The certification body shall exercise the control as specified by the certification scheme over ownership, use and display of licenses, certificates, marks of conformity, and any other mechanisms for indicating a product is certified".
- Ken will finalise the comments and Ruth will submit the comments to UK DCMS team.
Heads Up: UK DCMS draft certification documents
- Deadline to comment is May 7th.
- Ruth pointed out that the UK DCMS model would allow certification of the services and auditors as well as certification schemes. However, IS17065 recommends independency between the certification body and the certification scheme development and approval.
- Mark K. stressed that two significant documents are missing and there is very little to comment on. He also shared the concern that due to the confidential nature of the documents it is difficult to provide comprehensive feedback.
- It was said that the use of terminology is inconsistent.
Review and Comment: NIST open discussion issues in light of SP 800-63 rev.4
- Ken encouraged the group to review the list of issues and comment on those here: GDoc rev.4
- It was pointed out that there are comments from other stakeholders, available here: https://github.com/usnistgov/800-63-4/issues
- Deadline to submit comments: May 15th
Heads Up: TSA RFI re mDL
- Colin commented that TSA released an RFI on mDL https://www.govinfo.gov/content/pkg/FR-2021-04-19/pdf/2021-07957.pdf; https://www.federalregister.gov/documents/2021/04/19/2021-07957/minimum-standards-for-drivers-licenses-and-identification-cards-acceptable-by-federal-agencies-for
- He added that TSA seeks input on mobile driver’s licenses to inform REAL ID rule making. DHS and TSA are interested in mobile driver’s licenses because, compared to physical driver’s licenses, mobile driver’s licenses could provide greater security to TSA and all federal agencies verifying an individual’s identity, stronger privacy protections to individuals, and health and safety benefits to all users by enabling touchless identity verification. The Request for Information, solicits comments and input regarding technical approaches, applicable industry standards and best practices to ensure that mobile driver’s licenses can be issued and authenticated with features that ensure security, privacy and identity fraud detection.
- Comments should be submitted by June 18, 2021.
- Colin said that Secure Technology Alliance (STA) asked Kantara to consider a joint response.
- It was explained that PImDL DG wants to focus on the final report so they won't be involved in the response to the RFI.
- The group agreed that there are specific categories it can comment on but it won't lead the effort.
Supervised remote identity proofing.
- It was shared the link to NIST FAQ where it provides the difference between supervised and unsupervised remote identity proofing https://pages.nist.gov/800-63-FAQ/#q-a2
- Jimmy added that "formal 63A supervised definition identifies 7 criteria. For us it is 63A#0520-0580 and comes down to: The Applicant can't leave. The registrar can't leave, needs to see everything and needs to be trained. If you use any scanners or sensors, they must be integrated into a terminal owned by the CSP with physical tamper detection and resistance. It needs to happen over a mutually authenticated protected channels. Asking around with folks that work closer to NIST, it seems apparent that they imagined a kiosk; but I'm not sure that the requirements demand that. Its sketchy, but it seems like a laptop with a good integrated camera might work - with tamper being the biggest issue; and how does the applicant log in if they don't have credentials ( dedicated "hardened" laptop that gets sent back and forth seems kind of bonkers).
- Mark H. asked who are using kiosks. It was answered that Australian Government, British Postal Office, Ontario Government (driver license and health card).