Invited Guests: Jim Fenton, David Temoshok (NIST), Christine Abruzzi.
Non-voting participants: Roger Quint, Pete Palmer
Voting participants: Ken Dagg, Martin Smith, Mark Hapner, Richard Wilsher
Staff: Colin and Ruth
Quorum: 4 of 7. There was quorum
a) NIST response to Kantara Implementation Guidance Reports on 800-63-3
- Ken announced that IAWF 1050 Glossary and Overview was approved by All Member Ballot and it will be published shortly.
Discussion on NIST Response - Continuation session
Key discussion items
Comments about Kantara Implementation Report Response 090319
Item 2 Impasse on KBV approval for IAL2
- David Temoshok mentioned in relation to the use of knowledge-based verification for identity evidence at the “fair” level for one piece of evidence that it is probably not very helpful, but this is what 63A defines as the requirement for that. He added that there is no further use of knowledge base verification in either, the identity proofing processes for IAL or for authentication processes for AAL. The explanation provided for this, on why such limitations exist is explained in 63-3 as well as in the Response note to Kantara.
- Richard Wilsher added that Roger pointed out that the problem is finding a proofing path, the problem with IAL2 is when you come to verification, there is no fair evidence that would be used at that stage when you have to have at least one strong.
- Mark Harpner expressed that he understood from what was said that for IAL2, that KBV is basically useless. David responded that it is necessary to define “useless”, KBV could always be used by a CSP for further proofing, but it is just not considered one of the required means of identity validation or identity verification, thus you can use KBV as an additional control.
- Martin asked, “Is the data collected for that technique, is that typically considered PII?”, the answer was “certainly”, then it was said that it would represent another risk factor mitigating against using the ISPs wanting to collect that. David said that 63A in further identity proofing for self-asserted identity characteristic is not provided for.