[WG-IDAssurance] Remote Public Identity Proofing and cross-border Evidence checks

Richard G. WILSHER (Zygma CEO) RGW at Zygma.biz
Mon Dec 23 19:51:30 CST 2013


Colin,  I absolutely agree with you – I too do not think you have the
answer, so we can at least start off from a position of complete agreement,
and decay gracefully from there.  ;-)



Having taken a cursory scan through Keesing’s web site, it seems that their
technology requires that the physical document be present – right?  Since it
is unlikely that someone would submit their physical documents for a remote
id proofing, especially sending them to a foreign (to the subject) country,
I’m having trouble seeing where these solutions help in the circumstances
where Björn has his concerns, though they could potentially be valuable
tools in support of rigorous in-person id verification.  One element which
Keesing describes which could (stress – could) be useful is their
‘Documentchecker ID’, which appears to be descriptive guidance on what to
check for (a few thousand) specific doc types.  Hence, to the extent that a
good quality image of the Applicant’s id documents was provided, one might
possibly be able to do some first-line verification.  Nevertheless,
reference to a reliable issuing source (what WDIS29003 is calling a Source
of Authority) would still, imv, be essential if any decent assurance is
being sought.

 

Björn, I don’t think there IS any alternative interpretation.  You have
understood it as it is intended.  You will notice that at AL3 there is also
a requirement to verify id docs against a Source of Authority even when
performing in-person IdPV (RPV#010), i.e. that is the process for the
additional in-person rigour at AL3 vs. AL2.  At AL2, it is deemed
permissible to not require that check for in-person IdPV, bcasue it is
assumed that the RA function is able to competently verify the documents by
physical inspection, plus match the applicant’s facial features to the image
on the tendered docs. 

 

While I am sympathetic to the problem, I don’t see any immediate way out.
These requirements are there to ensure sufficient rigour in the IdPV.  Go
below them and by default you step down to the AL below (or worse, depending
what is required at the next-lower level, perhaps even lower).  There MAY be
a case for subcontracting the service to a provider in the country from
which the docs originate, but the immediate question then is ‘what is the
status of that service provider?’.  Unless they were also KI-Approved, or
approved by a TFP with which KI had a mutual recognition arrangement, I
don’t think one could assume anything, given the significance of the checks
being performed – there is no alternative and no waiver would be justified
whilst maintaining the target AL (personal opinion, not definitive Kantara
position).  I also recognize that whilst that may be manageable for a small
number of other jurisdictions, it becomes a major undertaking to cover any
significant number of ‘other’ countries.

 

Anyway, don’t let this give you indigestion over the next few days.  Merry
Christmas to one and all, and look on the bright side – the days are getting
longer (well, sorry Colin, for the majority of Kantara members they are, but

  ;-).

cid:image002.gif at 01CEFCD4.39305C20

 

Richard G. WILSHER
Founder & CEO
cid:image001.jpg at 01CEC9E9.E9D38700
1993 - Twenty years of independent operations – 2013

O:  +1 714 965 99 42
M: +1 714 797 99 42
E:    <mailto:RGW at Zygma.biz> RGW at Zygma.biz
W:   <http://www.zygma.biz/> www.Zygma.biz

 

From: wg-idassurance-bounces at kantarainitiative.org
[mailto:wg-idassurance-bounces at kantarainitiative.org] On Behalf Of Colin
Wallis
Sent: Monday, 23 December, 2013 01:52
To: Björn Sjöholm; wg-idassurance at kantarainitiative.org
Subject: Re: [WG-IDAssurance] Remote Public Identity Proofing and
cross-border Evidence checks

 

I may not have understood the question completely and nor do I think I have
the answer, but maybe this will help.
 
I agree it may be 'more or less impossible' right now, but in time, with pan
jurisdiction federation it won't be.
 
One way to help mitigate the risks here is to use  a service like Keesing
https://keesingreferencesystems.com/
At least that would help determine if the presented document was fraudulent.
Of course it is relying on the docs, not the authoritative source, but as I
say..step in the right direction.
 
I can see that in-person means you have the 'presenter links' to the
identity principle covered (in NZ EOI standard parlance). you don't have
that ability with remote proofing, hence the referencing records..maybe..
:-)
 
Cheers
Colin 
 

> Date: Sun, 22 Dec 2013 14:48:28 +0100
> From: bear at europoint.se
> To: wg-idassurance at kantarainitiative.org
> Subject: [WG-IDAssurance] Remote Public Identity Proofing and cross-border
Evidence checks
> 
> Hello,
> 
> I have a question and comment on 5.2.2.4 Remote Public Identity Proofing.
> 
> We are trying to apply the requirements (AL2_ID_RPV#020 Evidence checks, 
> specifically) on a scenario where the applicant is a in another country 
> or even on another continent. The requirement to inspect and analyse the 
> collected records against the issuing authorities/institutions or 
> similar databases becomes more or less impossible if the service wants 
> to support a lot of/all countries. Access to the database for a 
> Government issues ID in any/all countries is difficult task.
> 
> For a In-Person Public Identity Proofing, there is no requirement to 
> reference check the records for the ID. I realize that that scenario is 
> based on a stronger identification, but the requirement to reference the 
> records in the remote scenario still does not feel proportional.
> 
> Does anyone have any comment on this, or a alternative interpretation?
> 
> Regards,
> Björn Sjöholm
> 
> -- 
> Björn Sjöholm, M.Sc. <bear at europoint.se>
> CISSP, CISA, CISM, CGEIT, CRISC, QSA (P2PE), PA-QSA
> Europoint Networking AB, www.europoint.se
> Phone +46 18 183030, Mobile +46 705 220110
> 
> _______________________________________________
> WG-IDAssurance mailing list
> WG-IDAssurance at kantarainitiative.org
> http://kantarainitiative.org/mailman/listinfo/wg-idassurance

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kantarainitiative.org/pipermail/wg-idassurance/attachments/20131224/2dfbe75d/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.gif
Type: image/gif
Size: 8258 bytes
Desc: not available
URL: <http://kantarainitiative.org/pipermail/wg-idassurance/attachments/20131224/2dfbe75d/attachment-0001.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.jpg
Type: image/jpeg
Size: 2113 bytes
Desc: not available
URL: <http://kantarainitiative.org/pipermail/wg-idassurance/attachments/20131224/2dfbe75d/attachment-0001.jpg>


More information about the WG-IDAssurance mailing list