[WG-IDAssurance] Updates to my comments

Furr, Richard richard.furr at verizon.com
Sun Dec 8 10:54:27 CST 2013


Thanks, as noted in my reply to Colin Wallis, good to have  a sanity check every now and then.  The wonderful world of standards!!! :)

Rich Furr
Identity, Regulatory Affairs, Audit, and Compliance Consultant
Verizon Enterprise Solutions
704-575-1680

From: wg-idassurance-bounces at kantarainitiative.org [mailto:wg-idassurance-bounces at kantarainitiative.org] On Behalf Of Richard G. WILSHER (Zygma CEO)
Sent: Sunday, December 08, 2013 11:41 AM
To: 'IA WG'
Subject: Re: [WG-IDAssurance] Updates to my comments

Rich,

In-line.

Richard.

Richard G. WILSHER
Founder & CEO
[cid:image001.jpg at 01CEF40C.3EC44C80]
O:  +1 714 965 99 42
M: +1 714 797 99 42
E:   RGW at Zygma.biz<mailto:RGW at Zygma.biz>
W:  www.Zygma.biz<http://www.zygma.biz/>

From: wg-idassurance-bounces at kantarainitiative.org<mailto:wg-idassurance-bounces at kantarainitiative.org> [mailto:wg-idassurance-bounces at kantarainitiative.org] On Behalf Of Furr, Richard
Sent: Saturday, 7 December, 2013 15:59
To: Coderre, Mark; 'Scott Shorter'; 'Andrew Hughes'; 'IA WG'
Subject: Re: [WG-IDAssurance] Updates to my comments

It would certainly be worth knowing that and if so that should be included in comments.

Also,

I wonder why FICAM is pointing to the draft NASPO/ANSI ID verification standard when ISO 29003, Identity Proofing already exists and is used internationally.
>>RGW:  Good question in principle, but who do you know is using IS29003?  It is presently at Working Draft 2, requires a LOT of work (600+ comments to dispose - the last editing session was not a pretty sight) and I suspect it will take another 2 yrs to achieve Final Draft stage.

Please, how are IdP/CSPs supposed to play in all these sandboxes??
>>RGW:  They contribute through their National Bodies (the US' is INCITS/CS1) if they want to have a vote at the national level, and their NB will have a vote at the ISO JTC 1/SC 27/WG 5 level;  they can also contribute via Kantara which has a liaison status with SC27 (and this has, I think, been reasonably well notified through the IAWG list), but liaison bodies do not get to vote during editing sessions.

Rich Furr
Identity, Regulatory Affairs, Audit, and Compliance Consultant
Verizon Enterprise Solutions
704-575-1680

From: wg-idassurance-bounces at kantarainitiative.org<mailto:wg-idassurance-bounces at kantarainitiative.org> [mailto:wg-idassurance-bounces at kantarainitiative.org] On Behalf Of Coderre, Mark
Sent: Friday, December 06, 2013 5:57 PM
To: 'Scott Shorter'; 'Andrew Hughes'; 'IA WG'
Subject: Re: [WG-IDAssurance] Updates to my comments

Aren't there a myriad of state laws that would prohibit using SSN purely for correlation?

From: wg-idassurance-bounces at kantarainitiative.org<mailto:wg-idassurance-bounces at kantarainitiative.org> [mailto:wg-idassurance-bounces at kantarainitiative.org] On Behalf Of Scott Shorter
Sent: Friday, December 06, 2013 1:57 PM
To: Andrew Hughes; IA WG
Subject: [WG-IDAssurance] Updates to my comments

Hi all,

Updates to a few comments based on today's call.  The "IAWG let's discuss on Friday" comment is now:

1. Clarify the distinction between identity proofing and identity resolution, the attribute verification requirements for each, and when those requirements are applicable (e.g. CSPs/RAs during enrollment, CSPs as attribute providers, RPs during account linking and problem resolution, etc.)

2. RPs should be able to make a determination based on their risk assessment whether credentials based on data broker verification meets their needs.  FICAM could provide guidance on the pros and cons, and consider providing granularity in levels of Identity Assurance reflecting the data sources against which verification was performed.

Does that more or less reflect the discussion?

I didn't add this because we didn't discuss it, but what also occurred to me is:

3. FICAM could declare that SSN is not an acceptable "valid current government ID number" during remote identity proofing.

NIST has persistently declined to clarify this issue, although the conspicuous lack of the term "picture ID" in column 2 of Table 3 of SP 800-63-2 does permit it.  Changing that would be huge, and I doubt a suggestion to do so would clear the ARB, but I offer it for the sake of completeness.
-
Scott
--
Scott Shorter, Principal Security Engineer, Electrosoft Services Inc.
sshorter at electrosoft-inc.com<mailto:sshorter at electrosoft-inc.com> O: 703-437-9451 x21 M: 240-994-7793
This e-mail may contain confidential or privileged information. If you think you have received this e-mail in error, please advise the sender by reply e-mail and then delete this e-mail immediately. Thank you. Aetna
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kantarainitiative.org/pipermail/wg-idassurance/attachments/20131208/13419cb8/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 2113 bytes
Desc: image001.jpg
URL: <http://kantarainitiative.org/pipermail/wg-idassurance/attachments/20131208/13419cb8/attachment-0001.jpg>


More information about the WG-IDAssurance mailing list