[WG-IDAssurance] Updates to my comments

Richard G. WILSHER (Zygma CEO) RGW at Zygma.biz
Sun Dec 8 10:40:45 CST 2013


Rich,

 

In-line.

Richard.

 

Richard G. WILSHER
Founder & CEO
cid:image001.jpg at 01CEC9E9.E9D38700
O:  +1 714 965 99 42
M: +1 714 797 99 42
E:    <mailto:RGW at Zygma.biz> RGW at Zygma.biz
W:   <http://www.zygma.biz/> www.Zygma.biz

 

From: wg-idassurance-bounces at kantarainitiative.org
[mailto:wg-idassurance-bounces at kantarainitiative.org] On Behalf Of Furr,
Richard
Sent: Saturday, 7 December, 2013 15:59
To: Coderre, Mark; 'Scott Shorter'; 'Andrew Hughes'; 'IA WG'
Subject: Re: [WG-IDAssurance] Updates to my comments

 

It would certainly be worth knowing that and if so that should be included
in comments.

 

Also,

 

I wonder why FICAM is pointing to the draft NASPO/ANSI ID verification
standard when ISO 29003, Identity Proofing already exists and is used
internationally.
>>RGW:  Good question in principle, but who do you know is using IS29003?
It is presently at Working Draft 2, requires a LOT of work (600+ comments to
dispose - the last editing session was not a pretty sight) and I suspect it
will take another 2 yrs to achieve Final Draft stage.

 

Please, how are IdP/CSPs supposed to play in all these sandboxes??
>>RGW:  They contribute through their National Bodies (the US' is
INCITS/CS1) if they want to have a vote at the national level, and their NB
will have a vote at the ISO JTC 1/SC 27/WG 5 level;  they can also
contribute via Kantara which has a liaison status with SC27 (and this has, I
think, been reasonably well notified through the IAWG list), but liaison
bodies do not get to vote during editing sessions.

 

Rich Furr

Identity, Regulatory Affairs, Audit, and Compliance Consultant

Verizon Enterprise Solutions

704-575-1680

 

From: wg-idassurance-bounces at kantarainitiative.org
[mailto:wg-idassurance-bounces at kantarainitiative.org] On Behalf Of Coderre,
Mark
Sent: Friday, December 06, 2013 5:57 PM
To: 'Scott Shorter'; 'Andrew Hughes'; 'IA WG'
Subject: Re: [WG-IDAssurance] Updates to my comments

 

Aren't there a myriad of state laws that would prohibit using SSN purely for
correlation?

 

From: wg-idassurance-bounces at kantarainitiative.org
[mailto:wg-idassurance-bounces at kantarainitiative.org] On Behalf Of Scott
Shorter
Sent: Friday, December 06, 2013 1:57 PM
To: Andrew Hughes; IA WG
Subject: [WG-IDAssurance] Updates to my comments

 

Hi all,

 

Updates to a few comments based on today's call.  The "IAWG let's discuss on
Friday" comment is now:

 

1. Clarify the distinction between identity proofing and identity
resolution, the attribute verification requirements for each, and when those
requirements are applicable (e.g. CSPs/RAs during enrollment, CSPs as
attribute providers, RPs during account linking and problem resolution,
etc.)

 

2. RPs should be able to make a determination based on their risk assessment
whether credentials based on data broker verification meets their needs.
FICAM could provide guidance on the pros and cons, and consider providing
granularity in levels of Identity Assurance reflecting the data sources
against which verification was performed.

 

Does that more or less reflect the discussion?

 

I didn't add this because we didn't discuss it, but what also occurred to me
is:

 

3. FICAM could declare that SSN is not an acceptable "valid current
government ID number" during remote identity proofing.  

 

NIST has persistently declined to clarify this issue, although the
conspicuous lack of the term "picture ID" in column 2 of Table 3 of SP
800-63-2 does permit it.  Changing that would be huge, and I doubt a
suggestion to do so would clear the ARB, but I offer it for the sake of
completeness.

-

Scott

-- 
Scott Shorter, Principal Security Engineer, Electrosoft Services Inc.

sshorter at electrosoft-inc.com O: 703-437-9451 x21 M: 240-994-7793

This e-mail may contain confidential or privileged information. If you think
you have received this e-mail in error, please advise the sender by reply
e-mail and then delete this e-mail immediately. Thank you. Aetna 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kantarainitiative.org/pipermail/wg-idassurance/attachments/20131208/b519a118/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 2113 bytes
Desc: not available
URL: <http://kantarainitiative.org/pipermail/wg-idassurance/attachments/20131208/b519a118/attachment.jpg>


More information about the WG-IDAssurance mailing list