[KI-LC] IdAssurance WG Document Comments

Joni Brennan joni at ieee-isto.org
Tue Jan 5 10:18:47 EST 2010


Hello,

The staff has received the following comment for the consideration of the Id
Assurance WG.  Please note  that staff strips the submitter name and PII
prior to wider distribution as a measure to protect privacy. - Cheers

---------------------------------------

Comments: In response to the call for comments on the Identity Assurance
Framework: Overview; Glossary; Assurance Levels; and Service Assessment
Criteria documents; CSC would like to offer the following comments.

These general comments also apply to the Identity Assurance Framework:
Assessor Qualifications and Requirements; and Assurance Assessment Scheme
documents.

We believe that the Kantara Identity Assurance Framework (IAF) is an
extremely important body of work that will provide objective criteria,
further to definitions in NIST SP 800-63 and other documents, which can be
used to accredit Assessors and Providers of Identity/Credential Services at
the appropriate Level(s) of Assurance.   In light of the wide range of
international activity relating to Identity and Privacy Assurance standards
and government and industry initiatives that has materialized over the last
couple of years; as well as the increasing focus of attention on the Kantara
Initiative and its intended future interaction with Standards Development
Organizations, such as ISO/IEC and ITU-T, we respectfully suggest that the
following considerations would enhance the current document set that
comprises the IAF.

1. We suggest that inclusion of the document hierarchy (
http://kantarainitiative.org/pipermail/wg-idassurance/2009-September/000081.html),
or derived material, along with the commentary similar to the Kantara
response of 8 December 2009 to the Open Identity Framework Joint Steering
Committee (OIF JSC), would greatly enhance the distribution and
communication of the document set for broader adoption.   In particular, the
hierarchical nature of the document set is described very well in the
response to OIF JSC, and the various documents comprising the primary base
reference set and the secondary set, and their purpose, relative to
Assessors and Providers, is discussed.   We believe that a clearer
explanation of the document set in a more self-consistent manner would aid
in the readability and communication of the document set, and would help to
define a structure similar to an ISO/IEC multi-part standard or the like
(e.g., ISO/IEC 15408, Common Criteria for Information Technolo
 gy Security Evaluation).   Furthermore, we believe that such an explanation
of the segregation of responsibilities, as defined by the complete document
set would help readers and implementers to understand the various
responsibilities and accountability within the Accreditation process - for
example, it is not clear that the Assurance Assessment Scheme should be part
of the primary base reference document set, but instead could potentially be
in the secondary document set, and/or administered outside of the IAWG.

2. It would be instructive to observe that some initiatives, such as TSCP
(Transglobal Secure Collaboration Program - http://www.tscp.org/), apply
more rigorous infrastructure requirements and rules for participants than
are generally set forth, due to the business rules and needs of the
participants.  This would illustrate the goal of defining a full range of
requirements, starting at  a minimum set of infrastructure at lower levels
of assurance which can be graduated to meet more stringent, higher levels of
assurance to meet specific business requirements.   In particular, the
specific differences in identity proofing in various initiatives could be
further described to discuss the relationship with Identity Assurance, and,
similarly, some discussion of how the the varying privacy regulations define
instantiation-specific privacy profiles would help, as was recently
discussed relative to the ICAM submission.

3. We believe that additional discussion of related identity initiatives
that have developed over the last couple of years would greatly help to
provide context for the Kantara Initiative IAF, as well as resolve (or
mitigate, at least) definition ambiguities.   Some examples include:

There has been much ongoing discussion around the Levels of Assurance
defined in NIST SP 800-63 - a more recent commentary on this document would
enhance the IAF document set.   Also, with the recent developments of the
ANSI Identity Theft Prevention and Identity Management Standards Panel (
www.ansi.org/idsp); the publication of ICAM Part 1; the ANSI compendium of
standards a few years ago (
http://publicaa.ansi.org/sites/apdl/ID%20Theft%20Prevention%20and%20ID%20Management%20Standards%20Pa/IDSP%20Final%20Report%20-%20Volume%20II%20Standards%20Inventory.pdf),
and the ongoing work of the ITU-T -- should these initiatives be recognized
as, at a minimum, orientation or reference material that readers should be
familiar with?    Also, the bibliography of the NSTAC Identity report
references a range of discussions relating to some of the policy
considerations recently raised in various Kantara fora.     The IAF Glossary
could be reconsidered to acknowledge the definitions used else
 where that are gaining traction as authoritative sources, in SDO's such as
ISO/IEC and ITU-T.    As an example, the approach used in Appendix C of the
NSTAC Identity Report might be a useful format to work from - and add the
Kantara-specific definitions or exceptions.   This reconciliation of terms
and definitions would also be of value for harmonization across the Kantara
Working Groups.

Lastly, as Kantara evolves towards being both a technical specifications
developer and an accreditation organization, it may be useful to review some
of the implementation and documentation methodology used by the likes of the
Software Engineering Institute, or under the auspices of the Common Criteria
Scheme.   The requirements for training, documentation, data, configuration
management, reporting, audit etc., in such programs mirror those sought by
Kantara to not only demonstrate system functionality, but also to provide
the organizational tools to support continued success.

_______________________________________________

-- 
Joni Brennan
IEEE-ISTO
Kantara Initiative
Director of Technology Programs
voice:+1 732-226-4223
email: joni @ ieee-isto.org
gtalk: jonibrennan

Join the conversation on the community@ list -
http://kantarainitiative.org/mailman/listinfo/community
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://kantarainitiative.org/pipermail/lc/attachments/20100105/922a77d9/attachment-0001.html 


More information about the LC mailing list