[WG-IDAssurance] Updates to my comments

Coderre, Mark CoderreM at aetna.com
Fri Dec 6 16:56:39 CST 2013


Aren't there a myriad of state laws that would prohibit using SSN purely for correlation?

From: wg-idassurance-bounces at kantarainitiative.org [mailto:wg-idassurance-bounces at kantarainitiative.org] On Behalf Of Scott Shorter
Sent: Friday, December 06, 2013 1:57 PM
To: Andrew Hughes; IA WG
Subject: [WG-IDAssurance] Updates to my comments

Hi all,

Updates to a few comments based on today's call.  The "IAWG let's discuss on Friday" comment is now:

1. Clarify the distinction between identity proofing and identity resolution, the attribute verification requirements for each, and when those requirements are applicable (e.g. CSPs/RAs during enrollment, CSPs as attribute providers, RPs during account linking and problem resolution, etc.)

2. RPs should be able to make a determination based on their risk assessment whether credentials based on data broker verification meets their needs.  FICAM could provide guidance on the pros and cons, and consider providing granularity in levels of Identity Assurance reflecting the data sources against which verification was performed.

Does that more or less reflect the discussion?

I didn't add this because we didn't discuss it, but what also occurred to me is:

3. FICAM could declare that SSN is not an acceptable "valid current government ID number" during remote identity proofing.

NIST has persistently declined to clarify this issue, although the conspicuous lack of the term "picture ID" in column 2 of Table 3 of SP 800-63-2 does permit it.  Changing that would be huge, and I doubt a suggestion to do so would clear the ARB, but I offer it for the sake of completeness.
-
Scott
--
Scott Shorter, Principal Security Engineer, Electrosoft Services Inc.
sshorter at electrosoft-inc.com<mailto:sshorter at electrosoft-inc.com> O: 703-437-9451 x21 M: 240-994-7793


This e-mail may contain confidential or privileged information. If
you think you have received this e-mail in error, please advise the
sender by reply e-mail and then delete this e-mail immediately.
Thank you. Aetna   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kantarainitiative.org/pipermail/wg-idassurance/attachments/20131206/f00b5b8d/attachment.html>


More information about the WG-IDAssurance mailing list