[KI-LC] Kantara Support For A National Identity Verification Standard??

Bob Pinheiro kantara at bobpinheiro.com
Fri Jun 25 13:05:19 EDT 2010


All very good questions, and I can think of others as well.

However, with the first ID-V meeting coming up July 12-13 in Kansas 
City, I don't think we can wait for answers before the Kantara Trustees 
decides whether it can spend $3K to support this effort.

Joni, would there be any way to put this before the BoT in an email 
request, and ask for their decision by the end of next week (July 2)?  
If the BoT decides to support the effort, that would give someone who 
agrees to represent Kantara enough notice to make travel arrangements to 
attend the meeting.  [Who would that person be?  I'm assuming that any 
such person would be a "volunteer" and would attend the meeting at the 
expense of their own organizations.  I'm willing to attend and represent 
Kantara, provided Kantara or someone else pays my travel expenses.]

The request wouldn't have to come from the LC (since no vote has been 
taken).  Could I make the request as an individual LC member?

The next regular meeting of the BoT is July 8.  I think that would be 
too late to initiate a discussion, take a vote, and have enough time to 
find a Kantara representative to attend the meeting.

An alternative, if the above doesn't work, is to ask if anyone receiving 
this email is already planning to attend the ID-V meeting on behalf of 
their own organization.  If so, perhaps that person could agree to make 
a report back to the LC/BoT following the meeting, to provide further 
input to help the LC/BoT make a decision.  I believe Abbie said he might 
be attending.......

Bob


On 6/25/2010 7:30 AM, Rich Furr wrote:
>
> A list of questions I have submitted to the Health ID Assurance 
> Working Group chair for the NASPO team:
>
> 1. Since this work would seem to affect all the organizations at many 
> levels of government (as noted in the IDSP Report some 6400 
> jurisdictions issuing over 14,000 different variations of birth 
> certificates alone), what efforts are being taken to include these 
> agencies in the development effort. It is highly problematic, given 
> the lack of uptake by just the States of RealID, to consider that many 
> of these agencies will adhere to any eventual standard if they do not 
> actively participate. How does the development team propose to get 
> around the issue of uptake and acceptance?
>
> 2. According to the IDSP report, the National Association for Public 
> Health Statistics and Information Systems is developing security 
> guidelines for the development and issuance of birth certificates 
> (among others). Is NAPHSI S included or participating in this effort?
>
> 3. What is the status of the proposed rule making in support of the 
> Intelligence Reform and Terrorism Prevention Act? What steps will be 
> taken to ensure the results of this work do not diverge from any 
> results of such a rule?
>
> 4. Is this team working with NAPHSIS to converge this effort with that 
> of the Electronic Verification of Vital Events system?
>
> 5. Given the failure of RealID, which was cited as "too prescriptive" 
> by the National Governors Association and other organizations and the 
> strong objections of the civil liberties community, how would NASPO 
> and ANSI suggest the results of this effort overcome any such issues. 
> Also, if acceptance of the results are purely voluntary, what steps 
> might be taken to enhance uptake since even Federal Law in this area 
> has largely been ignored by other non-Federal agencies?
>
> 6. Are any Federal or State agencies participating or providing funding?
>
> 7. According to Section 3.4 of the IDSP Report:
>
> A core project team was formed to take the work forward under the 
> leadership of the
>
> North American Security Products Organization (NASPO), an ANSI accredited
>
> standards developing organization,16 and it has proceeded under NASPO 
> leadership
>
> since February 2009. The core project team includes representatives of 
> AAMVA, the
>
> Coalition for a Secure Drive, the Colorado Division of Motor Vehicles, 
> DHS,
>
> the General Services Administration, NAPHSIS, and the National 
> Institute of Standards
>
> and Technology, among others.
>
> Are these agencies/organizations still participating? If not, why not?
>
> Rich Furr
>
> Head Global Regulatory Affairs and Compliance
>
> *New Office: 980-236-7576*
>
> Cell: 201-220-0160
>
> *From:* lc-bounces at kantarainitiative.org 
> [mailto:lc-bounces at kantarainitiative.org] *On Behalf Of *Colin Wallis
> *Sent:* Thursday, June 24, 2010 10:27 PM
> *To:* Kantara Leadership Council Kantara; Staff list
> *Subject:* Re: [KI-LC] Kantara Support For A National Identity 
> Verification Standard??
>
> Ah yes I remember these IDSP docs now.
>
> What they may end up with is something that resembles parts of NZ 
> Gov's 
> <http://www.dia.govt.nz/diawebsite.nsf/wpg_url/resource-material-evidence-of-identity-standard-index> 
> or BC Canada's 
> <http://www.cio.gov.bc.ca/local/cio/standards/documents/standards/evidence_of_identity_standard.pdf> 
> (borrowed from/newer/better than ours) Evidence of Identity Standards.
>
> You add to this, a document recognition handbook (along with training 
> of course) for agency front counter staff to detect fake or 
> tampered-with breeder docs and you begin to have something resembling 
> a consistent approach/process/system of identity proofing.
>
> Cheers
>
> Colin
>
> *From:* John Bradley [mailto:jbradley at mac.com]
> *Sent:* Friday, 25 June 2010 1:43 p.m.
> *To:* Joni Brennan
> *Cc:* Colin Wallis; Kantara Leadership Council Kantara; Staff list
> *Subject:* Re: [KI-LC] Kantara Support For A National Identity 
> Verification Standard??
>
> Looking at their call for participation they restrict the $1,000 level 
> to only non-profit  Organizations not representing ANY industry.
>
> I suspect they will consider Kantara a trade organization.
>
> This seems to be a very US specific peace of work to secure Birth 
> certificates, Drivers Licences and Social Security Cards.
>
> This link provides some background on ANSI's findings.
>
> http://webstore.ansi.org/identitytheft/
>
> This looks to be a larger project than RealID involving multiple 
> levels of Government.
>
> I would want to better understand how the GSA, HHS and other 
> government organizations who would be required to implement this are 
> participating, and if it stands any chance of getting further the RealID.
>
> They do have a point that in large measure the breeder documents DL, 
> SSN, and Birth Certificate we recommend in the IAF are relatively easy 
> to acquire fraudulently.    That's why other countries have NationalID 
> issued at birth.
>
> I am cautious, this could be a lot of work that may not get taken up 
> for political reasons.
>
> I do think it would be a good idea to have appropriate guidance on 
> breeder  documents per jurisdiction for people participating in the IAF.
>
> John B.
>
> On 2010-06-24, at 6:29 PM, Joni Brennan wrote:
>
> Kantara Initiative has 501 c6 Tax Status as a Program of the 
> IEEE-ISTO.  As such we are a non-profit organization and the exact 
> category is classified as 'Business League'.  We of course have the 
> documents to prove the above and have done so for various other 
> activities.  Given that Kantara Initiative would fall in to the 1k 
> cost to participate.  So at least there's some clarity for you there.
>
> On Thu, Jun 24, 2010 at 3:20 PM, Colin Wallis 
> <Colin.Wallis at dia.govt.nz <mailto:Colin.Wallis at dia.govt.nz>> wrote:
>
> Thanks Bob
>
> Some comments inline after further thought following the LC call.
>
> Cheers
>
> Colin
>
> *From:* Bob Pinheiro [mailto:kantara at bobpinheiro.com 
> <mailto:kantara at bobpinheiro.com>]
> *Sent:* Tuesday, 22 June 2010 3:54 p.m.
> *To:* Colin Wallis
> *Cc:* Kantara Leadership Council Kantara; Kantara Staff list
> *Subject:* Re: [KI-LC] Kantara Support For A National Identity 
> Verification Standard??
>
> Colin,
>
> If I'm not mistaken, OMB0404 only addresses the four assurance levels; 
> it's NIST 800-63 that specifies criteria for identity proofing at the 
> various assurance levels.  But that document was strictly intended 
> only for US government relying parties.  There has been discussion in 
> IAWG about how to do identity proofing when different jurisdictions 
> are involved, so I guess there really is no standard.
>
> <<CW: Well, I think you characterize OMB0404 a little too simply, 
> since the approach to risk is the fundamental basis that drives the 
> subsequent identity proofing and credential issuance/usage processes, 
> but no matter. And while you are technically correct regards NIST, I 
> would contend that is has become a de facto standard, since so many 
> other jurisdictions have copied it or have profiled it.  I am really 
> pleased IAWG has had the discussion about Id proofing when different 
> jurisdictions are involved because they are absolutely right. No pan 
> jurisdiction federation can take place until there is sufficient trust 
> amongst governments that their respective identity proofing processes 
> are up to scratch. So while the eGov WG has the eGov Profile for SAML 
> sufficiently constrained to see pan jurisdiction federation possible 
> at the interop level */technically/*, it may languish for some years 
> waiting for the ID proofing process side to catch up, because id 
> proofing becomes the weakest link in the chain.>>
>
>
> I understand that the goal is to develop an ANSI standard for identity 
> verification, but there may also be much international interest as 
> well.  Whether that would translate into a further effort to develop 
> some sort of international standard, I can't say.
>
> <<CW: It certainly is a worthy goal, but international 
> adoption/interest may be better achieved by using an international 
> forum in which to develop it.  And let's not kid ourselves. It will be 
> darn difficult because different jurisdictions have different 
> breeder/authoritative documents. But with sufficient mapping, it may 
> be possible.  So if ANSI is going to start with the US situation and 
> US breeder docs but later move to an international stage, it needs to 
> structure the standard such that it is flexible to include a different 
> set of breeder docs from a different jurisdiction>>.
>
>
> An organization can be a Sponsor at a cost of $25K per year (with no 
> obligation to actually participate in the development of any 
> standard), or can be a participating member expected to contribute to 
> the work effort.  For that level of commitment, I don't know if NASPO 
> would consider KI to be a non-profit at $1000 per year, or a trade 
> association at $3000 per year.
>
> <<CW: Not my call but KI's 501C 6 status should help>>
>
>
> One of the motivations for this effort is the US government's (newly 
> renamed) National Strategy for Trusted Identities in Cyberspace.  It's 
> hard to see how you can have a "trusted identity" online without some 
> standardized way to verify someone's identity in the first place.  On 
> the other hand, I can see where someone's "identity" may mean 
> different things to different types of relying parties, which may also 
> imply different trust frameworks for different "trust communities."
>
> <<CW: All true, and I agree with everything you say here>>.
> Bob
>
> <<CW: So KI is left in an interesting position.  In an ideal world, it 
> would be better to bring the work to KI, or OASIS or ISO..where it is 
> (more) politically neutral (you recall that this is what we said in 
> our comments to the White House in the NSTIC).  So to support this 
> effort in NASPO, we are actually *not supporting our stated position*. 
> On the other hand, it may be perceived as churlish not to support the 
> effort in NASPO, especially if we think the effort will succeed, and 
> the outputs from this standard find their way into the IAF in future 
> in some way shape or form.  In which case we are cutting off our nose 
> despite our face by not supporting it.  Decisions decisions....>>
>
> Cheers
>
> Colin
>
>
> On 6/21/2010 6:23 PM, Colin Wallis wrote:
>
> Thanks Bob
>
> A couple of thoughts to start us off with..
>
> 1) Is there really no standard in the US for this?  For the NZ 
> government's Evidence of Identity standard, we relied heavily on the 
> US Gov's OMB M 04 04. I guess one could say that's not a standard but...
>
> 2) I can see how there is a gap, in the sense that the identity 
> proofing process in the IAF and indeed in the proposed ISO 29115 are 
> kind of deployment profiles of this standard, if it were manifested...
>
> 3) Given KI is a global organisation, are we comfortable that we are 
> not creating a precedent that will be impossible to continue with, 
> (the flip side being that there is a large US influence in the IAF and 
> 29115 so it is a worthy exception)
>
> 4) Without trying to pre-empt or pre judge any decision, is it your 
> sense that KI might want to participate as a non-profit at $1,000 per 
> annum?
>
> Cheers
>
> Colin
>
> *From:* lc-bounces at kantarainitiative.org 
> <mailto:lc-bounces at kantarainitiative.org> 
> [mailto:lc-bounces at kantarainitiative.org] *On Behalf Of *Bob Pinheiro
> *Sent:* Tuesday, 22 June 2010 9:52 a.m.
> *To:* Kantara Leadership Council Kantara
> *Cc:* Kantara Staff list
> *Subject:* [KI-LC] Kantara Support For A National Identity 
> Verification Standard??
>
> As part of my efforts to determine whether there's any external 
> interest in the Consumer Identity WG's project plan, I recently spoke 
> with Tom Lockwood, who is one of the drivers of the government's 
> National Strategy for Trusted Identities in Cyberspace, and Graham 
> Whitehead of NASPO.  You may have seen the email and attached Call for 
> Participation from ANSI IDSP (below), announcing that NASPO is 
> commencing development of an American National Standard for Identity 
> Verification.
>
> The need for a standardized identity verification/proofing process is 
> well known, and Tom mentioned that several people associated with 
> Kantara (Brett, when he was ED, and Frank V. on behalf of IAWG) 
> expressed to him that Kantara supports such an effort.  Others as 
> well, in particular members of the financial services community, have 
> also expressed interest.
>
> However, the reality is that NASPO will not be able to pursue this 
> work unless it can secure adequate funding, and also recruit enough 
> "warm bodies" to actually participate in the effort.  Since there was 
> some expression of interest and support by Kantara 
> participants/members, I volunteered to find out whether this might 
> translate into financial support, and whether anyone representing 
> Kantara might want to participate in the actual development of the 
> identity verification standard.
>
> The attached Call for Participation describes the various levels of 
> financial support that is being requested.  I'd like to propose that 
> the question of whether Kantara can provide financial support for the 
> development of an identity verification standard by NASPO be submitted 
> to the Board of Trustees for their consideration.
>
> Although I'm specifically addressing possible financial support by 
> Kantara, NASPO would certainly be grateful for a commitment of 
> financial support and participation by any other organization as well, 
> including individual Kantara member organizations.
>
> As noted below, an initial meeting of those making a commitment to 
> this effort is planned for July 12-13 in Kansas City.  So if there is 
> any possibility that Kantara might be able to contribute to this 
> effort, the BoT should probably take up this matter fairly soon.
>
> Bob
>
> ---------------------------
> Bob Pinheiro
> Chair, Consumer Identity WG
> 908-654-1939
> kantara at bobpinheiro.com  <mailto:kantara at bobpinheiro.com>
> www.bobpinheiro.com  <http://www.bobpinheiro.com/>
>
>
>
>
>
> -------- Original Message --------
>
> *Subject: *
>
> 	
>
> ID-V Standard Kick-Off Meeting & Call for Participation
>
> *Date: *
>
> 	
>
> Wed, 16 Jun 2010 10:10:03 -0400
>
> *From: *
>
> 	
>
> James McCabe <jmccabe at ANSI.ORG> <mailto:jmccabe at ANSI.ORG>
>
> *Reply-To: *
>
> 	
>
> James McCabe <jmccabe at ANSI.ORG> <mailto:jmccabe at ANSI.ORG>
>
> *To: *
>
> 	
>
> IDSP at MAILLIST.ANSI.ORG <mailto:IDSP at MAILLIST.ANSI.ORG>
>
> Dear IDSP participants,
>
> The purpose of this eMail is to let you know that a meeting to 
> commence development of a national identity verification standard will 
> take place on July 12 and 13, 2010 in Kansas City. The meeting will 
> start at 1:00pm on Monday July 12 and end on Tuesday July 13 at 
> 4:30pm. The meeting will be held in Pavilion 3 at the :-
>
> InterContinental Kansas City at the Plaza
> 401 Ward Parkway
> Kansas City, MO
> 64112
>
> A block of rooms has been reserved at the hotel for the nights Sunday, 
> July 11 through to Wednesday  July 14,  at a rate of $139.00 per night.
>
> To make your reservation please call toll free 866 856 9717 and 
> reference the NASPO rate (*NAS*), or you can book online at 
> www.kansascityic.com <http://www.kansascityic.com/> 
> <_http://www.kansascityic.com <http://www.kansascityic.com/>_> and use 
> the code *NAS*.
>
> Hotel reservations should be made on or before *June 21, 2010* after 
> which time rooms will be released for general reservations.  More 
> information about the hotel can be found at_ 
> http//:www.kansascityic.com <http://www.kansascityic.com/>
>
> _The required fee for participation in the development of this 
> standard is detailed in the attached "ID-V Call for 
> Participation"document. Individuals and organizations who wish to 
> participate in the development process and attend this first meeting, 
> must register to participate and commit to payment of the 
> participation fee in advance of attendance at the meeting. 
> Opportunities to benefit from the payment of  a sponsorship fee are 
> also detailed in the attachment.
>
> For further information please contact :-
>
> Ann Whitehead
> NASPO Administrator
> Tel: (604) 921-9196
> eMail: naspo at telus.net
>
> Best regards,
>
> Jim McCabe
> Senior Director, Consumer Relations and IDSP
> *American National Standards Institute
> *25 West 43^rd Street, 4^th Floor
> New York, NY  10036  U.S.A.
> 1-212-642-8921; Fax: 1-212-840-2298
> jmccabe at ansi.org <mailto:jmccabe at ansi.org>
>
> *_MARK YOUR CALENDAR:
> World Standards Week 2010 <http://www.ansi.org/wsweek>_*
>
> September 21-24, Arlington, VA
>
> ====
> CAUTION:  This email message and any attachments contain information 
> that may be confidential and may be LEGALLY PRIVILEGED. If you are not 
> the intended recipient, any use, disclosure or copying of this message 
> or attachments is strictly prohibited. If you have received this email 
> message in error please notify us immediately and erase all copies of 
> the message and attachments. Thank you.
> ====
>
> ====
> CAUTION:  This email message and any attachments contain information 
> that may be confidential and may be LEGALLY PRIVILEGED. If you are not 
> the intended recipient, any use, disclosure or copying of this message 
> or attachments is strictly prohibited. If you have received this email 
> message in error please notify us immediately and erase all copies of 
> the message and attachments. Thank you.
> ====
>
>
> _______________________________________________
> LC mailing list
> LC at kantarainitiative.org <mailto:LC at kantarainitiative.org>
> http://kantarainitiative.org/mailman/listinfo/lc
>
>
>
>
> -- 
> Joni Brennan
> IEEE-ISTO
> Kantara Initiative
> Managing Director
> voice:+1 732-226-4223
> email: joni @ ieee-isto.org <http://ieee-isto.org/>
> gtalk: jonibrennan
> skype: upon request
>
> Join the conversation on the community@ list - 
> http://kantarainitiative.org/mailman/listinfo/community
>
>
>
>
>
> _______________________________________________
> LC mailing list
> LC at kantarainitiative.org <mailto:LC at kantarainitiative.org>
> http://kantarainitiative.org/mailman/listinfo/lc
>
> ====
> CAUTION:  This email message and any attachments contain information 
> that may be confidential and may be LEGALLY PRIVILEGED. If you are not 
> the intended recipient, any use, disclosure or copying of this message 
> or attachments is strictly prohibited. If you have received this email 
> message in error please notify us immediately and erase all copies of 
> the message and attachments. Thank you.
> ====
>
>
> _______________________________________________
> LC mailing list
> LC at kantarainitiative.org
> http://kantarainitiative.org/mailman/listinfo/lc
>    
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://kantarainitiative.org/pipermail/lc/attachments/20100625/bb743b30/attachment-0001.html 


More information about the LC mailing list