Invited Guests: Jim Fenton, David Temoshok (NIST), Christine Abruzzi.
Non-voting participants: Roger Quint, Pete Palmer
Voting participants: Ken Dagg, Martin Smith, Mark Hapner, Richard Wilsher
Staff: Colin and Ruth
Quorum: 4 of 7. There was quorum
a) NIST response to Kantara Implementation Guidance Reports on 800-63-3
- Ken announced that IAWF 1050 Glossary and Overview was approved by All Member Ballot and it will be published shortly.
Discussion on NIST Response - Continuation session
Key discussion items
Comments about Kantara Implementation Report Response 090319
Item 2 Impasse on KBV approval for IAL2
- David Temoshok mentioned in relation to the use of knowledge-based verification for identity evidence at the “fair” level for one piece of evidence that it is probably not very helpful, but this is what 63A defines as the requirement for that. He added that there is no further use of knowledge base verification in either, the identity proofing processes for IAL or for authentication processes for AAL. The explanation provided for this, on why such limitations exist is explained in 63-3 as well as in the Response note to Kantara.
- Richard Wilsher added that Roger pointed out that the problem is finding a proofing path, the problem with IAL2 is when you come to verification, there is no fair evidence that would be used at that stage when you have to have at least one strong.
- Mark Harpner expressed that he understood from what was said that for IAL2, that KBV is basically useless. David responded that it is necessary to define “useless”, KBV could always be used by a CSP for further proofing, but it is just not considered one of the required means of identity validation or identity verification, thus you can use KBV as an additional control.
- Martin asked, “Is the data collected for that technique, is that typically considered PII?”, the answer was “certainly”, then it was said that it would represent another risk factor mitigating against using the ISPs wanting to collect that. David said that 63A in further identity proofing for self-asserted identity characteristic is not provided for.
Item 3 Consistency of terms describing proofing types
- Richard has proposed a set of terms for further clarity.
- David made comments on the concepts used in identity proofing and in particular for the presence requirement for identity proofing, presence requirement for IAL2 could be either “remote or “in-person”. The terms “remote” and “in-person” are used as dictionary-defined terms.
-Remote identity proofing, the applicant and the operator or interviewer are remote, it represents an identity proofing session where the CSP and the applicant are in separate locations, not meeting face-to-face, with communications over a network.
-In-person is a face-to-face identity session in the same location between the CSP and the applicant.
-In addition, a new term was introduced in 63A for “supervised” remote in-person identity proofing; it has explicit connotations. “Supervised remote identity proofing” means that the requirements and controls for identity proofing sessions specified in SP 800-63A section 184.108.40.206 Requirements for Supervised Remote In-Person Proofing are applied. SP 800-63A section 220.127.116.11 requires specific physical, technical and procedural controls so that supervised remote identity proofing can be considered equivalent to an in-person identity proofing session and, therefore, meet the in-person presence requirement for IAL3.
- About this, Richard commented that David described “in-person” as the applicant and the CSP being in the same location, and that it was also suggested that there is “remote” where the applicant is in contact there in network connection to somebody on behalf of the CSP. Consequently, it was said that there is a confusion, because there is implied that there are two levels of interaction between the applicant and a human being on the part of the CSP, because now it is said “supervised”. David answered that it is not what he mentioned, the term “supervised” has very special meaning in 63A. He added that “supervised” when we refer to remote identity proofing, which would meet the requirement of in-person identity proofing, but the encounter is remote between the applicant and operator, thus supervised in this context means there is specialized equipment that allows the CSP to be able to view the entirety of the identity proofing session, to be able to check both documents and the entire session to ensure that the applicant is present, they can view the applicant through the entire session and there is no one else present. The specific control in order consider that such a remote process would be equivalent to a “in-person” session, those requirements are covered in SP 800-63A section 18.104.22.168 and are called Supervised Remote Identity Proofing.
- Jim appreciated the input on the terms since it is necessary to be as precise as it is possible. However, he argued that he has some trouble to see something as unsupervised because it kind of implies that it cannot be supervised, and it should not follow into that trap. He considered it is not anything that can be acted on anytime soon.
- Jim also mentioned that you can still have human interaction and still not meet the requirements for supervised because, the difference between “supervised” and “unsupervised” is that “supervised” you may think it is a specific piece of hardware that is conformed be the CSP in order to be proofed. The difference at IAL2 when you are doing proofing that does not involve Supervised Remote Identity Proofing is that interaction could be on the users on PC, they can use a webcam, they may have a voice session if they are interacting with a human agent. He stressed that the difference between “supervised” and “unsupervised” for him is the question of whether there is a location that has a specific purpose made piece of hardware conformed by the CSP, or whether it can be done from an office.
- David stressed that Supervised Remote requires a CSP equipment for the remote applicant.
- Roger said he understands from this perspective that, if the CSP provides the equipment, it does not matter whether if there is a human person reviewing that or not as long as the equipment belongs to the CSP. Jim answered to him that there is a whole set of requirements in order to be able to call it Supervised Identity Proofing and it is not a requirement for IAL2.
- It was asked if the Supervised Remote at IAL2 requires a physical representative of the CSP to be involved during the proofing process. Jim responded that it would not be called like that if it is an IAL2, you can use the same equipment but all of the requirements of 22.214.171.124 do not apply at IAL2, you can use the equipment if it was available and it was convenient for applicants to use that equipment but it is not a requirement at IAL2.
- Richard’s proposed table would have to be changed considering the NIST comments and clarification on it.