[KI-LC] [EXTERNAL] Re: Shaping the form of the Kantara mDL WG

Salvatore DAgostino sal at idmachines.com
Thu Apr 9 13:35:16 UTC 2020


Along these lines, does anyone know if the I-9 List B requirements for drivers’ licenses will be upgraded to Read ID…

 

https://www.uscis.gov/i-9-central/acceptable-documents/list-documents/form-i-9-acceptable-documents

 

From: Martin Smith <martin.smith at acm.org> 
Sent: Thursday, April 9, 2020 9:26 AM
To: Richard G. WILSHER (@Zygma) <RGW at Zygma.biz>; 'HUGHES Andrew' <andrew.hughes at idemia.com>; 'Christopher Williams' <cwilliams at exponent.com>; 'Colin Wallis Kantara' <colin at kantarainitiative.org>
Cc: 'David Kelts' <dkelts at getgroupna.com>; 'Ken Dagg' <kendaggtbs at gmail.com>; Salvatore DAgostino <sal at idmachines.com>; 'Andrew Hughes' <andrewhughes3000 at gmail.com>; 'Ben Barnett' <ben.barnett at folio.id>; 'Bob Pinheiro' <bob at bobpinheiro.com>; 'Kantara Leadership Council' <lc at kantarainitiative.org>; mark.difraia at kuma.pro
Subject: Re: [EXTERNAL] Re: [KI-LC] Shaping the form of the Kantara mDL WG

 

Just a point on scope of REAL/ID -- I think Richard said earlier in this thread that it was only required for access to Federal (or maybe it was "sensitive") facilities. But at some point is will be required for boarding US domestic commercial air flights.  "[A]t  some point . . " was scheduled to be October 2020, but this has been pushed back due to coronavirus. In any case, the demand for READ/ID DLs will be  much larger than just for those needing to access Federal facilities. 

(Details: yes, you can use a passport as ID for domestic US air travel but few US domestic travelers have them; and the reason it's just domestic air access is presumably because passports are already required for international air boarding.]

Martin

 

 

On 4/7/2020 12:20 PM, Richard G. WILSHER (@Zygma) wrote:

You’re probably right Andrew (is that twice I’ve publicly admitted that in the last 24 hrs???  ;-), though it might be a stretch to suggest that “[US Federal agencies and other US Federal issuers] all fall under the same risk domain”, because they often don’t and want to determine their risk profile for themselves.

But if we go down the path you suggest, then doesn’t that bring us back to:

ISO as the upper layer of the model;

Jurisdictional profiling to suit regional/national implementation of the IS (which is where we would bring in the DHS/REAL ID material and possibly NIST 800s as well, e.g. -53, -63, …)

I’m still uncertain whether the above would be with the intention of facilitating use of these mDLs as evidence to be used within an implementation meeting -63 rev.3 or whether it would be to show that the process themselves met the requirements of -63 rev.3.  The latter seems to me to be an exercise in recursion without a limiting state.

 

Richard G. WILSHER
Founder & CEO,  Zygma Inc.
                       
Operating independently since 1993

M: +1 714 797 99 42
E:    <mailto:RGW at Zygma.biz> RGW at Zygma.biz
W:   <http://www.zygma.biz/> www.Zygma.biz

 

From: HUGHES Andrew [mailto:andrew.hughes at idemia.com] 
Sent: Tuesday, April 7, 2020 15:47
To: Christopher Williams; Colin Wallis Kantara
Cc: David Kelts; Ken Dagg; Salvatore DAgostino; Andrew Hughes; Ben Barnett; Bob Pinheiro; Kantara Leadership Council; Richard G. WILSHER (Zygma CEO); mark.difraia at kuma.pro <mailto:mark.difraia at kuma.pro> ; martin.smith at acm.org <mailto:martin.smith at acm.org> 
Subject: Re: [EXTERNAL] Re: [KI-LC] Shaping the form of the Kantara mDL WG

 

By the way, this is one specific area where the idea that 800-63-3 is applicable to non-US Federal agencies is clearly wrong. 

 

US Federal agencies can choose to accept that other US Federal issuers are doing certain things, because they all fall under the same risk domain. They can also establish Agency-Agency agreements if they really want to. 

 

The same level of certainty is simply not available outside of that domain. And it ties us as commercial providers up in knots. 

 

So maybe a valuable thing is to write criteria that accept the DHS/REAL ID conformity approval as compensating controls we can make some kind of equivalency argument relative to NIST 800-63-3

 

———

Andrew Hughes

Director, Identity Architecture 

IDEMIA

 

M. +1 416 565 4723

E. Andrew.Hughes at idemia.com <mailto:Andrew.Hughes at idemia.com> 

  _____  

From: Christopher Williams  <mailto:cwilliams at exponent.com> <cwilliams at exponent.com>
Sent: Tuesday, April 7, 2020 8:14:12 AM
To: HUGHES Andrew  <mailto:andrew.hughes at idemia.com> <andrew.hughes at idemia.com>; Colin Wallis Kantara  <mailto:colin at kantarainitiative.org> <colin at kantarainitiative.org>
Cc: David Kelts  <mailto:dkelts at getgroupna.com> <dkelts at getgroupna.com>; Ken Dagg  <mailto:kendaggtbs at gmail.com> <kendaggtbs at gmail.com>; Salvatore DAgostino  <mailto:sal at idmachines.com> <sal at idmachines.com>; Andrew Hughes  <mailto:andrewhughes3000 at gmail.com> <andrewhughes3000 at gmail.com>; Ben Barnett  <mailto:ben.barnett at folio.id> <ben.barnett at folio.id>; Bob Pinheiro  <mailto:bob at bobpinheiro.com> <bob at bobpinheiro.com>; Kantara Leadership Council  <mailto:lc at kantarainitiative.org> <lc at kantarainitiative.org>; Richard G. WILSHER (Zygma CEO)  <mailto:RGW at zygma.biz> <RGW at zygma.biz>; mark.difraia at kuma.pro <mailto:mark.difraia at kuma.pro>   <mailto:mark.difraia at kuma.pro> <mark.difraia at kuma.pro>; martin.smith at acm.org <mailto:martin.smith at acm.org>   <mailto:martin.smith at acm.org> <martin.smith at acm.org>
Subject: RE: [EXTERNAL] Re: [KI-LC] Shaping the form of the Kantara mDL WG 

 

This message is from an EXTERNAL SENDER - be CAUTIOUS, particularly with links and attachments.

  _____  

 

I agree about the lack of downstream process transparency being a challenge.  More broadly, I think this discussion highlights the trap of trying use 800-63 as a set of universal requirements in the physical ID space.  As humans are not born with multiple 800-63 SUPERIOR credentials is there a path for a “real world identity” to ever be IAL3 by the 800-63 requirements?

 

Andrew, are you interested in a call to discuss further?  I would be happy to send out a webex.

 

 

Christopher Williams, Ph.D., CISSP

Manager, Statistical & Data Sciences

Exponent, Inc.

420 Lexington Ave, Suite 1740
New York, NY 10170

Mobile: (650) 460-9647

 <https://urldefense.com/v3/__http:/www.exponent.com/christopher_williams__;!!FZtbJVnXfw!nA-va0GaHogqYJGYfD_Cp4MLfv_uNDEKMsbV-pKkYfUBttKM-ExlfpwHJr-oC-8sdA0$> www.exponent.com/christopher_williams

 

 

 

From: HUGHES Andrew  <mailto:andrew.hughes at idemia.com> <andrew.hughes at idemia.com> 
Sent: Tuesday, April 7, 2020 11:01 AM
To: Christopher Williams  <mailto:cwilliams at exponent.com> <cwilliams at exponent.com>; Colin Wallis Kantara  <mailto:colin at kantarainitiative.org> <colin at kantarainitiative.org>
Cc: David Kelts  <mailto:dkelts at getgroupna.com> <dkelts at getgroupna.com>; Ken Dagg  <mailto:kendaggtbs at gmail.com> <kendaggtbs at gmail.com>; Salvatore DAgostino  <mailto:sal at idmachines.com> <sal at idmachines.com>; Andrew Hughes  <mailto:andrewhughes3000 at gmail.com> <andrewhughes3000 at gmail.com>; Ben Barnett  <mailto:ben.barnett at folio.id> <ben.barnett at folio.id>; Bob Pinheiro  <mailto:bob at bobpinheiro.com> <bob at bobpinheiro.com>; Kantara Leadership Council  <mailto:lc at kantarainitiative.org> <lc at kantarainitiative.org>; Richard G. WILSHER (Zygma CEO)  <mailto:RGW at zygma.biz> <RGW at zygma.biz>; mark.difraia at kuma.pro <mailto:mark.difraia at kuma.pro> ; martin.smith at acm.org <mailto:martin.smith at acm.org> 
Subject: RE: [EXTERNAL] Re: [KI-LC] Shaping the form of the Kantara mDL WG

 

Um. Sure. 

But 800-63-3 predicates it’s entire evaluation of ‘proofing strength’ on the specific validation and verification of the actual pieces of evidence presented – and if a downstream consumer (CSP) of a DL has no way to be certain about which specific pieces of evidence were presented, then nothing else matters.

 

It’s similar to the argument that a US Passport is a SUPERIOR evidence type, or that a US Passport can be used as the single piece of evidence used to satisfy IAL2 – both of those categorizations rely on unknowable process execution at the issuer – we can suspect that the passport office did things a particular way, but we are not permitted to know exactly what they did for that specific passport application/vetting.

 

In general discussions with others outside this group I find a disturbing generalization about the NIST 800-63-3 characteristics of documents like DL and Passports – people talk as if they are the actual DMV Issuer and have explicit knowledge of the processes executed (they can review logs, for example), rather than as an external CSP consuming DL or Passport who can not actually discover what explicit process steps were executed. This leads to incorrect claims of things like the maximum IAL achievable using certain onboarding/enrolment techniques.

 

Andrew Hughes

Director, Identity Architecture

M. +1 (416) 565-4723
E.  <mailto:Andrew.Hughes at idemia.com> Andrew.Hughes at idemia.com

 

From: Christopher Williams < <mailto:cwilliams at exponent.com> cwilliams at exponent.com> 
Sent: April 7, 2020 7:53 AM
To: HUGHES Andrew < <mailto:andrew.hughes at idemia.com> andrew.hughes at idemia.com>; Colin Wallis Kantara < <mailto:colin at kantarainitiative.org> colin at kantarainitiative.org>
Cc: David Kelts < <mailto:dkelts at getgroupna.com> dkelts at getgroupna.com>; Ken Dagg < <mailto:kendaggtbs at gmail.com> kendaggtbs at gmail.com>; Salvatore DAgostino < <mailto:sal at idmachines.com> sal at idmachines.com>; Andrew Hughes < <mailto:andrewhughes3000 at gmail.com> andrewhughes3000 at gmail.com>; Ben Barnett < <mailto:ben.barnett at folio.id> ben.barnett at folio.id>; Bob Pinheiro < <mailto:bob at bobpinheiro.com> bob at bobpinheiro.com>; Kantara Leadership Council < <mailto:lc at kantarainitiative.org> lc at kantarainitiative.org>; Richard G. WILSHER (Zygma CEO) < <mailto:RGW at zygma.biz> RGW at zygma.biz>;  <mailto:mark.difraia at kuma.pro> mark.difraia at kuma.pro;  <mailto:martin.smith at acm.org> martin.smith at acm.org
Subject: RE: [EXTERNAL] Re: [KI-LC] Shaping the form of the Kantara mDL WG

 

This message is from an EXTERNAL SENDER - be CAUTIOUS, particularly with links and attachments.

  _____  

 

I agree that it would be too strong to say  _always_ in every issuer jurisdiction, but looking at this list of requirements.  The first question is does the process meet all of the other 800-63 requirements outside of the Evidence?  I think yest.

 

For the evidence listed by Iowa what are the 800-63 Strengths of the various documents?  As a simple example:

 

1.	Passport
2.	SSN card
3.	Utility bill

 

From: HUGHES Andrew < <mailto:andrew.hughes at idemia.com> andrew.hughes at idemia.com> 
Sent: Tuesday, April 7, 2020 10:45 AM
To: Christopher Williams < <mailto:cwilliams at exponent.com> cwilliams at exponent.com>; Colin Wallis Kantara < <mailto:colin at kantarainitiative.org> colin at kantarainitiative.org>
Cc: David Kelts < <mailto:dkelts at getgroupna.com> dkelts at getgroupna.com>; Ken Dagg < <mailto:kendaggtbs at gmail.com> kendaggtbs at gmail.com>; Salvatore DAgostino < <mailto:sal at idmachines.com> sal at idmachines.com>; Andrew Hughes < <mailto:andrewhughes3000 at gmail.com> andrewhughes3000 at gmail.com>; Ben Barnett < <mailto:ben.barnett at folio.id> ben.barnett at folio.id>; Bob Pinheiro < <mailto:bob at bobpinheiro.com> bob at bobpinheiro.com>; Kantara Leadership Council < <mailto:lc at kantarainitiative.org> lc at kantarainitiative.org>; Richard G. WILSHER (Zygma CEO) < <mailto:RGW at zygma.biz> RGW at zygma.biz>;  <mailto:mark.difraia at kuma.pro> mark.difraia at kuma.pro;  <mailto:martin.smith at acm.org> martin.smith at acm.org
Subject: RE: [EXTERNAL] Re: [KI-LC] Shaping the form of the Kantara mDL WG

 

For example, the IOWA REAL ID documentation requirements: 

*	Identity and date of birth (one doc)
*	Lawful status in the US (the doc used for identity and DOB meets this if it is verifiable)
*	SSN (the number as shown of one of a few possible docs)
*	Iowa residency and current address (two)

 

IAL3 evidence requirement (800-63-3A section 4.5.2) says:

The CSP SHALL collect the following from the applicant:

1. Two pieces of SUPERIOR evidence; OR

2. One piece of SUPERIOR evidence and one piece of STRONG evidence if the issuing

source of the STRONG evidence, during its identity proofing event, confirmed the

claimed identity by collecting two or more forms of SUPERIOR or STRONG evidence

and the CSP validates the evidence directly with the issuing source; OR

3. Two pieces of STRONG evidence plus one piece of FAIR evidence.

 

So I don’t see how the Iowa REAL ID documentation requirements ALWAYS result in the combinations required for IAL3. Sure, it’s POSSIBLE that the applicant used the IAL3 combinations of docs to get their REAL ID DL, but there’s no way to know for sure what happened when they went through the REAL ID process.

 

Am I getting this wrong?

 

Andrew.

 

Andrew Hughes

Director, Identity Architecture

M. +1 (416) 565-4723
E.  <mailto:Andrew.Hughes at idemia.com> Andrew.Hughes at idemia.com

 

From: HUGHES Andrew 
Sent: April 7, 2020 7:28 AM
To: Christopher Williams < <mailto:cwilliams at exponent.com> cwilliams at exponent.com>; Colin Wallis Kantara < <mailto:colin at kantarainitiative.org> colin at kantarainitiative.org>
Cc: David Kelts < <mailto:dkelts at getgroupna.com> dkelts at getgroupna.com>; Ken Dagg < <mailto:kendaggtbs at gmail.com> kendaggtbs at gmail.com>; Salvatore DAgostino < <mailto:sal at idmachines.com> sal at idmachines.com>; Andrew Hughes < <mailto:andrewhughes3000 at gmail.com> andrewhughes3000 at gmail.com>; Ben Barnett < <mailto:ben.barnett at folio.id> ben.barnett at folio.id>; Bob Pinheiro < <mailto:bob at bobpinheiro.com> bob at bobpinheiro.com>; Kantara Leadership Council < <mailto:lc at kantarainitiative.org> lc at kantarainitiative.org>; Richard G. WILSHER (Zygma CEO) < <mailto:RGW at zygma.biz> RGW at zygma.biz>;  <mailto:mark.difraia at kuma.pro> mark.difraia at kuma.pro;  <mailto:martin.smith at acm.org> martin.smith at acm.org
Subject: RE: [EXTERNAL] Re: [KI-LC] Shaping the form of the Kantara mDL WG

 

Hold on – are you sure that the REAL ID proofing process _always_ meets IAL3 requirements?

 

I read it the other way – because a person can submit one piece of evidence that is used to satisfy more than one REAL ID requirement, downstream consumers of the DL cannot be sure that the process as executed for that particular person actually achieved IAL3. 

 

I’ll have to go back and check my notes…

 

Andrew Hughes

Director, Identity Architecture

M. +1 (416) 565-4723
E.  <mailto:Andrew.Hughes at idemia.com> Andrew.Hughes at idemia.com

 

From: Christopher Williams < <mailto:cwilliams at exponent.com> cwilliams at exponent.com> 
Sent: April 7, 2020 7:23 AM
To: HUGHES Andrew < <mailto:andrew.hughes at idemia.com> andrew.hughes at idemia.com>; Colin Wallis Kantara < <mailto:colin at kantarainitiative.org> colin at kantarainitiative.org>
Cc: David Kelts < <mailto:dkelts at getgroupna.com> dkelts at getgroupna.com>; Ken Dagg < <mailto:kendaggtbs at gmail.com> kendaggtbs at gmail.com>; Salvatore DAgostino < <mailto:sal at idmachines.com> sal at idmachines.com>; Andrew Hughes < <mailto:andrewhughes3000 at gmail.com> andrewhughes3000 at gmail.com>; Ben Barnett < <mailto:ben.barnett at folio.id> ben.barnett at folio.id>; Bob Pinheiro < <mailto:bob at bobpinheiro.com> bob at bobpinheiro.com>; Kantara Leadership Council < <mailto:lc at kantarainitiative.org> lc at kantarainitiative.org>; Richard G. WILSHER (Zygma CEO) < <mailto:RGW at zygma.biz> RGW at zygma.biz>;  <mailto:mark.difraia at kuma.pro> mark.difraia at kuma.pro;  <mailto:martin.smith at acm.org> martin.smith at acm.org
Subject: RE: [EXTERNAL] Re: [KI-LC] Shaping the form of the Kantara mDL WG

 

This message is from an EXTERNAL SENDER - be CAUTIOUS, particularly with links and attachments.

  _____  

 

Andrew,

 

I have a number of thoughts on IAL and AAL for mDLs, but I will try to be really brief over email.  I would be happy to set-up a call if folks are interested in a longer discussion.

 

I think the first thing we should keep in mind is 800-63 was written for digital identity which DLs (passports, birth certificates, Costco cards, etc.) do no fall into.  We should look to each of their standards and regulations when evaluating the ecosystem.  While there may be pieces that are comparable, something like a birth certificate can never meet the IAL3 requirements set forth in 800-63 by definition, but birth certificates are used routinely as a high integrity document for many things including a breeder document for high sensitivity ID documents like passports. For REAL ID, the issuance process meets IAL3 requirements defined in 800-63, but I don’t expect to see an alignment between the REAL ID Act and 800-63-4 because they are for very different use cases.

 

mDL is very interesting in this space because it straddles the line between digital and physical identity and likely we will need to consider the entire regulatory ecosystem.  One last piece I think is really important when trying to map 800-63 to mDL is difference in risk between use cases.  Specifically, for Offline vs. Online use because the data being transacted originates with wildly different levels of trust (user mobile device vs. central state-controlled ID server) the acceptable risk should be assessed not only for mDLs as a whole, but for each use case. 

 

Anyway, just my two cents.  I hope everyone is staying safe and well.

 

Best,

Christopher

 

 

Christopher Williams, Ph.D., CISSP

Manager, Statistical & Data Sciences

Exponent, Inc.

420 Lexington Ave, Suite 1740
New York, NY 10170

Mobile: (650) 460-9647

 <https://urldefense.com/v3/__http:/www.exponent.com/christopher_williams__;!!FZtbJVnXfw!nfgfeSTda1JMycPoWyZTs5QQNfj7VkmeGmPOqPB-OiBaDM_07jS5Cja5wh2y4hhufS0$> www.exponent.com/christopher_williams

 

 

 

From: HUGHES Andrew < <mailto:andrew.hughes at idemia.com> andrew.hughes at idemia.com> 
Sent: Monday, April 6, 2020 11:14 PM
To: Colin Wallis Kantara < <mailto:colin at kantarainitiative.org> colin at kantarainitiative.org>
Cc: David Kelts < <mailto:dkelts at getgroupna.com> dkelts at getgroupna.com>; Ken Dagg < <mailto:kendaggtbs at gmail.com> kendaggtbs at gmail.com>; Salvatore DAgostino < <mailto:sal at idmachines.com> sal at idmachines.com>; Andrew Hughes < <mailto:andrewhughes3000 at gmail.com> andrewhughes3000 at gmail.com>; Ben Barnett < <mailto:ben.barnett at folio.id> ben.barnett at folio.id>; Bob Pinheiro < <mailto:bob at bobpinheiro.com> bob at bobpinheiro.com>; Christopher Williams < <mailto:cwilliams at exponent.com> cwilliams at exponent.com>; Kantara Leadership Council < <mailto:lc at kantarainitiative.org> lc at kantarainitiative.org>; Richard G. WILSHER (Zygma CEO) < <mailto:RGW at zygma.biz> RGW at zygma.biz>;  <mailto:mark.difraia at kuma.pro> mark.difraia at kuma.pro;  <mailto:martin.smith at acm.org> martin.smith at acm.org
Subject: RE: [EXTERNAL] Re: [KI-LC] Shaping the form of the Kantara mDL WG

 

Well, US DMV DL issuers are following the REAL ID Act requirements, which goes a long way towards regularization of their proofing processes. And I don’t think NIST has assimilated the REAL ID Act requirements into 800-63-3 yet, or if they plan to do so in -4.

The RP wants to know that the DL as a credential is ‘fit for purpose’ – whatever the RP’s purpose is.

 

I agree with Richard that “mDL Capable” for existing Kantara trust marks is not the right framing – because they are not. The trust makes do offer an independent confirmation path for the DMV proofing processes, and also for any CSP consuming DLs in their proofing processes (but we already know that last part because that’s what Kantara sells)

 

Andrew Hughes

Director, Identity Architecture

M. +1 (416) 565-4723
E.  <mailto:Andrew.Hughes at idemia.com> Andrew.Hughes at idemia.com

 

From: Colin Wallis Kantara < <mailto:colin at kantarainitiative.org> colin at kantarainitiative.org> 
Sent: April 6, 2020 12:37 PM
To: HUGHES Andrew < <mailto:andrew.hughes at idemia.com> andrew.hughes at idemia.com>
Cc: David Kelts < <mailto:dkelts at getgroupna.com> dkelts at getgroupna.com>; Ken Dagg < <mailto:kendaggtbs at gmail.com> kendaggtbs at gmail.com>; Salvatore DAgostino < <mailto:sal at idmachines.com> sal at idmachines.com>; Andrew Hughes < <mailto:andrewhughes3000 at gmail.com> andrewhughes3000 at gmail.com>; Ben Barnett < <mailto:ben.barnett at folio.id> ben.barnett at folio.id>; Bob Pinheiro < <mailto:bob at bobpinheiro.com> bob at bobpinheiro.com>; Christopher Williams < <mailto:cwilliams at exponent.com> cwilliams at exponent.com>; Kantara Leadership Council < <mailto:lc at kantarainitiative.org> lc at kantarainitiative.org>; Richard G. WILSHER (Zygma CEO) < <mailto:RGW at zygma.biz> RGW at zygma.biz>;  <mailto:mark.difraia at kuma.pro> mark.difraia at kuma.pro;  <mailto:martin.smith at acm.org> martin.smith at acm.org
Subject: Re: [EXTERNAL] Re: [KI-LC] Shaping the form of the Kantara mDL WG

 

This message is from an EXTERNAL SENDER - be CAUTIOUS, particularly with links and attachments.


  _____  


 

Hmm ..complicated or at least pointing to a two pronged approach.... 

 

Let me try this out on you all..  

 

DMV issuers are using a range of processes to do provisioning... and not standardized. This we know.

 

The RP wants to know that there is consistency in the provisioning. 

 

But there is no agreement on what that nexus is, and Andrew suggests that Kantara Trust Marks (I guess he's thinking our 63-3 Trust Marks here) won't be (universally?) liked by DMV's, and suggests criteria could/should be directed at ISO SC 17/WG 4 for ISO 23220-3 which explicitly does cover the issuer -> mDL interface. 

 

So the logic goes that MDV's would like criteria mapped from ISO 23220-3 in contrast to Kantara's existing 63-3 Trust Marks because it is more acceptable? harder to ignore/refute?  something else? Do I have that logic right?   

 

If so, then when Andrew says "I do agree that promoting the existing Kantara trust marks as an easy(er) path towards 800-63 for those issuers/verifiers who want to go in that direction – raises profile that can be redirected into other projects" he seems to be implying that there will be a handful of State DMV issuers and RPs who might accept Kantara 800-63-3 Trust Marks for mDL provisioning because of other US federal agency requirements for 63-3 in order to comply with M 19-17 and A 130, and it offers a synergistic 'catch all' compromise.. which is why Andrew and David seem to agree on that need for Kantara to promote its 63-3 Trust Marks as 'mDL capable'.

 

Is this holding together so far?

      

 

On Mon, Apr 6, 2020 at 6:48 PM HUGHES Andrew < <mailto:andrew.hughes at idemia.com> andrew.hughes at idemia.com> wrote:

Yes – absolutely agree that the RP wants to know about provisioning process – I’m just saying that government agencies in general do not like outside scrutiny and so would probably not like the Kantara trust mark solution. Doesn’t mean we shouldn’t work on it, but Kantara’s customers might not be the DMVs.

 

I currently believe that the WG criteria could/should be directed at ISO SC 17/WG 4 for ISO 23220-3 which explicitly does cover the issuer -> mDL interface. There’s a complicated story about why it’s in a different WG and project that 18013-5.

 

Andrew Hughes

Director, Identity Architecture

M. +1 (416) 565-4723
E.  <mailto:Andrew.Hughes at idemia.com> Andrew.Hughes at idemia.com

 

From: David Kelts < <mailto:dkelts at getgroupna.com> dkelts at getgroupna.com> 
Sent: April 6, 2020 10:25 AM
To: HUGHES Andrew < <mailto:andrew.hughes at idemia.com> andrew.hughes at idemia.com>; Colin Wallis Kantara < <mailto:colin at kantarainitiative.org> colin at kantarainitiative.org>
Cc: Ken Dagg < <mailto:kendaggtbs at gmail.com> kendaggtbs at gmail.com>; Salvatore DAgostino < <mailto:sal at idmachines.com> sal at idmachines.com>; Andrew Hughes < <mailto:andrewhughes3000 at gmail.com> andrewhughes3000 at gmail.com>; Ben Barnett < <mailto:ben.barnett at folio.id> ben.barnett at folio.id>; Bob Pinheiro < <mailto:bob at bobpinheiro.com> bob at bobpinheiro.com>; Christopher Williams < <mailto:cwilliams at exponent.com> cwilliams at exponent.com>; Kantara Leadership Council < <mailto:lc at kantarainitiative.org> lc at kantarainitiative.org>; Richard G. WILSHER (Zygma CEO) < <mailto:RGW at zygma.biz> RGW at zygma.biz>;  <mailto:mark.difraia at kuma.pro> mark.difraia at kuma.pro;  <mailto:martin.smith at acm.org> martin.smith at acm.org
Subject: RE: [EXTERNAL] Re: [KI-LC] Shaping the form of the Kantara mDL WG

 

This message is from an EXTERNAL SENDER - be CAUTIOUS, particularly with links and attachments.

  _____  

 

I think that RPs will want to know there is consistent provisioning among Issuers/States.  This helps them establish baseline trust (like the ID Checker Guide does for physical cards).  

 

Policy could accomplish this (likely at the Federal level or AAMVA).

 

At the technology level, there are no 18013-5 requirements for provisioning, so promoting an existing method of assessing provisioning makes sense to establish the accuracy-level.

 

From: HUGHES Andrew < <mailto:andrew.hughes at idemia.com> andrew.hughes at idemia.com> 
Sent: Monday, April 6, 2020 10:05 AM
To: Colin Wallis Kantara < <mailto:colin at kantarainitiative.org> colin at kantarainitiative.org>; David Kelts < <mailto:dkelts at getgroupna.com> dkelts at getgroupna.com>
Cc: Ken Dagg < <mailto:kendaggtbs at gmail.com> kendaggtbs at gmail.com>; Salvatore DAgostino < <mailto:sal at idmachines.com> sal at idmachines.com>; Andrew Hughes < <mailto:andrewhughes3000 at gmail.com> andrewhughes3000 at gmail.com>; Ben Barnett < <mailto:ben.barnett at folio.id> ben.barnett at folio.id>; Bob Pinheiro < <mailto:bob at bobpinheiro.com> bob at bobpinheiro.com>; Christopher Williams < <mailto:cwilliams at exponent.com> cwilliams at exponent.com>; Kantara Leadership Council < <mailto:lc at kantarainitiative.org> lc at kantarainitiative.org>; Richard G. WILSHER (Zygma CEO) < <mailto:RGW at zygma.biz> RGW at zygma.biz>;  <mailto:mark.difraia at kuma.pro> mark.difraia at kuma.pro;  <mailto:martin.smith at acm.org> martin.smith at acm.org
Subject: RE: [EXTERNAL] Re: [KI-LC] Shaping the form of the Kantara mDL WG

 

Do we think that State DMVs (and others) will want to obtain 3rd party-assessed trust marks for their issuance processes? Our collective experience with government agencies suggests not… 

And, there’s no mapping from 18013-5 requirements to SAC requirements for issuance. 18013-5 does not cover issuance nor does it cover authenticators in the NIST sense.

 

I do agree that promoting the existing Kantara trust marks as an easy(er) path towards 800-63 for those issuers/verifiers who want to go in that direction – raises profile that can be redirected into other projects.

 

 

 

Andrew Hughes

Director, Identity Architecture

M. +1 (416) 565-4723
E.  <mailto:Andrew.Hughes at idemia.com> Andrew.Hughes at idemia.com

 

From: Colin Wallis Kantara < <mailto:colin at kantarainitiative.org> colin at kantarainitiative.org> 
Sent: April 6, 2020 6:56 AM
To: David Kelts < <mailto:dkelts at getgroupna.com> dkelts at getgroupna.com>
Cc: Ken Dagg < <mailto:kendaggtbs at gmail.com> kendaggtbs at gmail.com>; Salvatore DAgostino < <mailto:sal at idmachines.com> sal at idmachines.com>; Andrew Hughes < <mailto:andrewhughes3000 at gmail.com> andrewhughes3000 at gmail.com>; Ben Barnett < <mailto:ben.barnett at folio.id> ben.barnett at folio.id>; Bob Pinheiro < <mailto:bob at bobpinheiro.com> bob at bobpinheiro.com>; Christopher Williams < <mailto:cwilliams at exponent.com> cwilliams at exponent.com>; Kantara Leadership Council < <mailto:lc at kantarainitiative.org> lc at kantarainitiative.org>; Richard G. WILSHER (Zygma CEO) < <mailto:RGW at zygma.biz> RGW at zygma.biz>; HUGHES Andrew < <mailto:andrew.hughes at idemia.com> andrew.hughes at idemia.com>;  <mailto:mark.difraia at kuma.pro> mark.difraia at kuma.pro;  <mailto:martin.smith at acm.org> martin.smith at acm.org
Subject: Re: [EXTERNAL] Re: [KI-LC] Shaping the form of the Kantara mDL WG

 

This message is from an EXTERNAL SENDER - be CAUTIOUS, particularly with links and attachments.


  _____  


 

That's great input David. 

 

Thank you very much!

 

Indeed, I began promoting the white paper here in my <https://urldefense.com/v3/__https:/kantarainitiative.org/confluence/display/GI/2020*3A*March__;JSs!!FZtbJVnXfw!lhhgO-3nrnLuNfBAezmDxuuChebx82GtwQBMj9IA4YGrJsKJQXnvSzaV0k3gSu7b-SQ$>  Director's Corner blog about half way down the page. And we have it planned to be promo'd again in the mid-month newsletter in 10 days time that goes to a mix of members and non members. We also have it scheduled on Social, to help promote the 1st Webinar that STA is running. 

 

So if I'm understanding correctly, the suggestion is that we do a kind of lightweight profile of our existing 80-63-3 Service Assessment Criteria (SACs) against the mDL provisioning requirements. 

 

If so, that suggests to me that the essence of the work would be a mapping of those requirements to the 63-3 requirements, out of which will come the subset of our SACs that are applicable to the mDL provisioning use case. 

 

If that is also correct, the Identity Assurance WG has its work cut out because - whether we continue forming this mDL WG, or do that work as yet another sub-group of the IAWG, we will need folks familiar with both the 63-3 requirements and Kantara's SACs developed to enable consistent assessment against the requirements... 

 

This will certainly be in the forefront of the IAWG (and LC) leads minds on this list and others also here that work on the SACs in the IAWG.  There's 2 or 3 projects already in play there already, but I'll leave it to the folks closer to it than me to comment on feasibility and timings.  

 

Thanks again David. This has certainly given us something to chew on!;-). 

 

Kind regards

Colin

Executive Director

Cell or Signal: +44 (0)7490 266 778

@KantaraNews @KantaraColin  <https://urldefense.com/v3/__https:/kantarainitiative.org/confluence/display/GI/Director*27s*Corner__;JSs!!FZtbJVnXfw!lhhgO-3nrnLuNfBAezmDxuuChebx82GtwQBMj9IA4YGrJsKJQXnvSzaV0k3gowS9iJo$> Blog or  <https://urldefense.com/v3/__https:/signup.e2ma.net/signup/1889513/1769625/__;!!FZtbJVnXfw!lhhgO-3nrnLuNfBAezmDxuuChebx82GtwQBMj9IA4YGrJsKJQXnvSzaV0k3goaPe_UU$> sign up to receive news

 <https://urldefense.com/v3/__https:/kantarainitiative.org/kantara-initiative-first-to-market-with-nist-sp-800-63-3-third-party-assessment-approval-and-trust-mark/__;!!FZtbJVnXfw!lhhgO-3nrnLuNfBAezmDxuuChebx82GtwQBMj9IA4YGrJsKJQXnvSzaV0k3gWuZwBDA$> Delivering 3rd party Assurance for NIST SP 800-63-3 Level 2 

 <https://urldefense.com/v3/__https:/kantarainitiative.org/about/10th-anniversary/__;!!FZtbJVnXfw!lhhgO-3nrnLuNfBAezmDxuuChebx82GtwQBMj9IA4YGrJsKJQXnvSzaV0k3gLg4szOY$> Kantara Initiative,  <https://urldefense.com/v3/__https:/edufoundation.kantarainitiative.org__;!!FZtbJVnXfw!lhhgO-3nrnLuNfBAezmDxuuChebx82GtwQBMj9IA4YGrJsKJQXnvSzaV0k3gNvpD0nU$> Kantara Educational Foundation &  <https://urldefense.com/v3/__https:/kantarainitiative.eu/__;!!FZtbJVnXfw!lhhgO-3nrnLuNfBAezmDxuuChebx82GtwQBMj9IA4YGrJsKJQXnvSzaV0k3gJgrpQuU$> Kantara Europe



 

 

 

On Sun, Apr 5, 2020 at 2:36 PM David Kelts < <mailto:dkelts at getgroupna.com> dkelts at getgroupna.com> wrote:

Hi Kantarians,

 

The STA whitepaper <https://urldefense.com/v3/__https:/www.securetechalliance.org/publications-the-mobile-drivers-license-mdl-and-ecosystem/__;!!FZtbJVnXfw!lhhgO-3nrnLuNfBAezmDxuuChebx82GtwQBMj9IA4YGrJsKJQXnvSzaV0k3g4enCvDk$>  is published, and the press release <https://urldefense.com/v3/__https:/www.globenewswire.com/news-release/2020/04/02/2010724/0/en/Secure-Technology-Alliance-Publishes-White-Paper-on-Mobile-Driver-s-Licenses-and-Emerging-Ecosystem.html__;!!FZtbJVnXfw!lhhgO-3nrnLuNfBAezmDxuuChebx82GtwQBMj9IA4YGrJsKJQXnvSzaV0k3g1HT9evc$>  is out.  IMHO, it could be sent to every Kantara member and promoting the paper – both to membership and externally - would greatly benefit Kantara’s eventual work.

 

To Colin’s original question, my suggestion is to make existing Kantara 800-63 certifications meaningful and relevant to mDL solutions.  That will help unlock issuers to proceed on rollout.  This may not be a large lift at all, just *marketing* them as mDL Provisioning Certifications would accomplish this.  Issuers will want to roll out NIST 800-63 IAL3 identities whenever they can.  They will want, for example, to post that, at minimum, their identities are IAL2 – (post publicly until there exists a mechanism in the mDL standards to convey proofing levels to RPs).

 

This is a critical role that Kantara can play right now in this developing ecosystem.  It is #1 in Colin’s WG charter done very quickly.  😊  Being agile would let #1 evolve.

 

Since I’m “that guy”, I made suggested changes in the Charter “Scope” already to prioritize the work so that Kantara could quickly make available what would drive acceptance in the mDL Ecosystem.  These are suggestions in the google doc and changeable per the group’s discussion.

 

I think this can be a relevant and important effort, and appreciate everyone’s dedication,

 

David

 


A. David Kelts




Director of Product Development, Mobile ID | GET Group North America


 


Global Enterprise Technologies Corp.


230 Third Avenue, Waltham MA 02451 USA


T:  +1 (781) 902 8776

 


M: +1 (617) 487 9529

 


E:  <mailto:dkelts at getgroupna.com> dkelts at getgroupna.com

 


 

 <https://urldefense.com/v3/__https:/twitter.com/getgroupna__;!!FZtbJVnXfw!lhhgO-3nrnLuNfBAezmDxuuChebx82GtwQBMj9IA4YGrJsKJQXnvSzaV0k3genMibHI$> Twitter

 <https://urldefense.com/v3/__https:/www.linkedin.com/company/global-enterprise-technologies-corp-/__;!!FZtbJVnXfw!lhhgO-3nrnLuNfBAezmDxuuChebx82GtwQBMj9IA4YGrJsKJQXnvSzaV0k3g63tKzU0$> LinkedIn

 <https://urldefense.com/v3/__https:/getgroupna.com/solutions/mobile-identification/get-mid-app/__;!!FZtbJVnXfw!lhhgO-3nrnLuNfBAezmDxuuChebx82GtwQBMj9IA4YGrJsKJQXnvSzaV0k3gm0d-7jw$> The Web


GET Mobile On

 

 

 

 

From: Ken Dagg <kendaggtbs at gmail.com <mailto:kendaggtbs at gmail.com> > 
Sent: Wednesday, March 18, 2020 7:01 PM
To: Salvatore DAgostino <sal at idmachines.com <mailto:sal at idmachines.com> >
Cc: Andrew Hughes <andrewhughes3000 at gmail.com <mailto:andrewhughes3000 at gmail.com> >; Ben Barnett <ben.barnett at folio.id <mailto:ben.barnett at folio.id> >; Bob Pinheiro <bob at bobpinheiro.com <mailto:bob at bobpinheiro.com> >; Christopher Williams <cwilliams at exponent.com <mailto:cwilliams at exponent.com> >; Colin Wallis Kantara <colin at kantarainitiative.org <mailto:colin at kantarainitiative.org> >; David Kelts <dkelts at getgroupna.com>; Kantara Leadership Council <lc at kantarainitiative.org <mailto:lc at kantarainitiative.org> >; Richard G. WILSHER (Zygma CEO) <RGW at zygma.biz <mailto:RGW at zygma.biz> >; andrew.hughes at idemia.com <mailto:andrew.hughes at idemia.com> ; mark.difraia at kuma.pro <mailto:mark.difraia at kuma.pro> ; martin.smith at acm.org <mailto:martin.smith at acm.org> 
Subject: [EXTERNAL] Re: [KI-LC] Shaping the form of the Kantara mDL WG

 

I made some editorial changes to the Purpose and Scope sections.

 

Thoughts,

Ken

 

 

 

On Wed, Mar 18, 2020 at 6:42 PM Ken Dagg <kendaggtbs at gmail.com <mailto:kendaggtbs at gmail.com> > wrote:

Sal,

 

In my opinion the conformance criteria that are developed would support another (and new) Kantara Class of Approval. As such, from an operational perspective, all the processes associated with granting a trust mark for a class of approval would be applicable.

 

Thoughts,

Ken

 

 

 

On Wed, Mar 18, 2020 at 6:34 PM Salvatore DAgostino <sal at idmachines.com <mailto:sal at idmachines.com> > wrote:

Thanks Colin,

 

One thought … since its looking at assessment criteria, should it also be collaborating with the IAWG to determine the requirements for a program as well.  I think its worth the time to think about the operational aspects as well as the criteria components.

 

From: LC <lc-bounces at kantarainitiative.org <mailto:lc-bounces at kantarainitiative.org> > On Behalf Of Colin Wallis Kantara
Sent: Wednesday, March 18, 2020 6:12 PM
To: David Kelts <dkelts at getgroupna.com <mailto:dkelts at getgroupna.com> >; andrew.hughes at idemia.com <mailto:andrew.hughes at idemia.com> ; Richard G. WILSHER (Zygma CEO) <RGW at zygma.biz <mailto:RGW at zygma.biz> >; Bob Pinheiro <bob at bobpinheiro.com <mailto:bob at bobpinheiro.com> >; Ken Dagg <kendaggtbs at gmail.com <mailto:kendaggtbs at gmail.com> >; martin.smith at acm.org <mailto:martin.smith at acm.org> ; Christopher Williams <cwilliams at exponent.com <mailto:cwilliams at exponent.com> >; Ben Barnett <ben.barnett at folio.id <mailto:ben.barnett at folio.id> >; Andrew Hughes <andrewhughes3000 at gmail.com <mailto:andrewhughes3000 at gmail.com> >; mark.difraia at kuma.pro <mailto:mark.difraia at kuma.pro> 
Cc: Kantara Leadership Council <lc at kantarainitiative.org <mailto:lc at kantarainitiative.org> >
Subject: Re: [KI-LC] Shaping the form of the Kantara mDL WG

 

Folks

 

Just pushing this early draft Charter in the GDocs link around the buoy once more.

 

https://docs.google.com/document/d/1UNuYl71z9Js_8Bmi9sdmb0PMaXkPqkgWGwGWgrApdbw/edit <https://urldefense.com/v3/__https:/docs.google.com/document/d/1UNuYl71z9Js_8Bmi9sdmb0PMaXkPqkgWGwGWgrApdbw/edit__;!!FZtbJVnXfw!lhhgO-3nrnLuNfBAezmDxuuChebx82GtwQBMj9IA4YGrJsKJQXnvSzaV0k3g4nMuEkY$>     

 

I'm trying to find that sweet spot between making it generic enough that we can flex and change as needed, while being specific enough that we don't spend months and months thrashing around to find the beginning. 

 

The news from STA (which many of you on this list know as you were on Cathy's email distro) is that we could expect to see the whitepaper published late next week.

 

We do have the option of holding until then, for folks here that weren't involved in its creation to get orientated.

 

But OTOH I'm not sure it would significantly change what we do here, since on and off-list the broad direction seems aligned, if not the finer grained detail, the knowledge of which significantly rests with those of you on the ISO SC17 WGs.

 

Anyway, take another look at the Charter please, and edit inline or add proposed text changes as comments.

 

It would be good to get it into the WG creation process before the end of the month (which is not long!) as well as make it more widely known to other members and non member participants.

 

Thanks!

  

Colin 

 

On Wed, Mar 4, 2020 at 12:06 AM Colin Wallis Kantara <colin at kantarainitiative.org <mailto:colin at kantarainitiative.org> > wrote:

Folks

 

Thank you for putting your hand up for interest in this idea, either in response to email or in conversations.

 

There are others (both inside and outside of the Kantara membership) but we need to get on, while internal sign offs etc take place.

 

Because I am going on vacation for a few days (chasing northern lights so mostly out of cell range) and then in DC next week, I wanted to make a very formative start on the draft WG charter...something we can all build on.

 

https://docs.google.com/document/d/1UNuYl71z9Js_8Bmi9sdmb0PMaXkPqkgWGwGWgrApdbw/edit <https://urldefense.com/v3/__https:/docs.google.com/document/d/1UNuYl71z9Js_8Bmi9sdmb0PMaXkPqkgWGwGWgrApdbw/edit__;!!FZtbJVnXfw!lhhgO-3nrnLuNfBAezmDxuuChebx82GtwQBMj9IA4YGrJsKJQXnvSzaV0k3g4nMuEkY$>   

 

So edit and comment away at will please while I am away and not thinking of you all while I chase lights..;-).

 

 

 

-- 

Kenneth Dagg Independent Consultant Identification and Authentication 613-825-2091 kendaggtbs at gmail.com <mailto:kendaggtbs at gmail.com> 

-- 

Kenneth Dagg Independent Consultant Identification and Authentication 613-825-2091 kendaggtbs at gmail.com <mailto:kendaggtbs at gmail.com> 

 

Disclaimer

The information contained in this communication from the sender is confidential. It is intended solely for use by the recipient and others authorized to receive it. If you are not the recipient, you are hereby notified that any disclosure, copying, distribution or taking action in relation of the contents of this information is strictly prohibited and may be unlawful.

This email has been scanned for viruses and malware, and may have been automatically archived by Mimecast Ltd, an innovator in Software as a Service (SaaS) for business. Providing a safer and more useful place for your human generated data. Specializing in; Security, archiving and compliance. To find out more  <https://urldefense.com/v3/__http:/www.mimecast.com/products/__;!!FZtbJVnXfw!lhhgO-3nrnLuNfBAezmDxuuChebx82GtwQBMj9IA4YGrJsKJQXnvSzaV0k3gyZt3Xgw$> Click Here.

-- 
Martin Smith 703 389-3224

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kantarainitiative.org/pipermail/lc/attachments/20200409/28dc8562/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 8852 bytes
Desc: not available
URL: <http://kantarainitiative.org/pipermail/lc/attachments/20200409/28dc8562/attachment-0005.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.jpg
Type: image/jpeg
Size: 5969 bytes
Desc: not available
URL: <http://kantarainitiative.org/pipermail/lc/attachments/20200409/28dc8562/attachment-0006.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.jpg
Type: image/jpeg
Size: 519 bytes
Desc: not available
URL: <http://kantarainitiative.org/pipermail/lc/attachments/20200409/28dc8562/attachment-0007.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 8436 bytes
Desc: not available
URL: <http://kantarainitiative.org/pipermail/lc/attachments/20200409/28dc8562/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image005.png
Type: image/png
Size: 1775 bytes
Desc: not available
URL: <http://kantarainitiative.org/pipermail/lc/attachments/20200409/28dc8562/attachment-0003.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image006.jpg
Type: image/jpeg
Size: 1035 bytes
Desc: not available
URL: <http://kantarainitiative.org/pipermail/lc/attachments/20200409/28dc8562/attachment-0008.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image007.jpg
Type: image/jpeg
Size: 1079 bytes
Desc: not available
URL: <http://kantarainitiative.org/pipermail/lc/attachments/20200409/28dc8562/attachment-0009.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5496 bytes
Desc: not available
URL: <http://kantarainitiative.org/pipermail/lc/attachments/20200409/28dc8562/attachment-0001.p7s>


More information about the LC mailing list