<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
        {font-family:Wingdings;
        panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
        {font-family:Wingdings;
        panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
        {font-family:Verdana;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
        {mso-style-priority:99;
        mso-style-link:"Balloon Text Char";
        margin:0in;
        margin-bottom:.0001pt;
        font-size:8.0pt;
        font-family:"Tahoma","sans-serif";}
span.BalloonTextChar
        {mso-style-name:"Balloon Text Char";
        mso-style-priority:99;
        mso-style-link:"Balloon Text";
        font-family:"Tahoma","sans-serif";}
span.EmailStyle19
        {mso-style-type:personal;
        font-family:"Arial","sans-serif";
        color:#1F497D;}
span.EmailStyle20
        {mso-style-type:personal;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
span.EmailStyle21
        {mso-style-type:personal;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
span.EmailStyle22
        {mso-style-type:personal-reply;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;}
@page WordSection1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
        {page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Thanks, as noted in my reply to Colin Wallis, good to have&nbsp; a sanity check every now and then.&nbsp; The wonderful world of standards!!! </span><span style='font-size:11.0pt;font-family:Wingdings;color:#1F497D'>J</span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p>&nbsp;</o:p></span></p><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Rich Furr<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:black'>Identity, Regulatory Affairs, Audit, and Compliance Consultant<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:black'>Verizon Enterprise Solutions<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>704-575-1680<o:p></o:p></span></p></div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p>&nbsp;</o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> wg-idassurance-bounces@kantarainitiative.org [mailto:wg-idassurance-bounces@kantarainitiative.org] <b>On Behalf Of </b>Richard G. WILSHER (Zygma CEO)<br><b>Sent:</b> Sunday, December 08, 2013 11:41 AM<br><b>To:</b> 'IA WG'<br><b>Subject:</b> Re: [WG-IDAssurance] Updates to my comments<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p>&nbsp;</o:p></p><p class=MsoNormal><a name="_MailEndCompose"><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Rich,</span></a><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>In-line.<br><br>Richard.<o:p></o:p></span></p><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#365F91'>&nbsp;</span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:black'><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:12.0pt'><b><span style='font-size:8.0pt;font-family:"Calibri","sans-serif";color:#2A577D'>Richard G. WILSHER<br>Founder &amp; CEO<br><img width=108 height=44 id="Picture_x0020_2" src="cid:image001.jpg@01CEF40C.3EC44C80" alt="cid:image001.jpg@01CEC9E9.E9D38700"><br>O:&nbsp; +1 714 965 99 42<br>M: +1 714 797 99 42<br>E:</span></b><b><span style='font-size:8.0pt;font-family:"Calibri","sans-serif";color:#365F91'> &nbsp;&nbsp;</span></b><a href="mailto:RGW@Zygma.biz"><b><span style='font-size:8.0pt;font-family:"Calibri","sans-serif"'>RGW@Zygma.biz</span></b></a><b><span style='font-size:8.0pt;font-family:"Calibri","sans-serif";color:#365F91'><br></span></b><b><span style='font-size:8.0pt;font-family:"Calibri","sans-serif";color:#2A577D'>W:</span></b><b><span style='font-size:8.0pt;font-family:"Calibri","sans-serif";color:#365F91'> </span></b><b><span style='font-size:6.0pt;font-family:"Calibri","sans-serif";color:#365F91'>&nbsp;</span></b><a href="http://www.zygma.biz/"><b><span style='font-size:8.0pt;font-family:"Calibri","sans-serif"'>www.Zygma.biz</span></b></a><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:black'><o:p></o:p></span></p></div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p>&nbsp;</o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> <a href="mailto:wg-idassurance-bounces@kantarainitiative.org">wg-idassurance-bounces@kantarainitiative.org</a> [<a href="mailto:wg-idassurance-bounces@kantarainitiative.org">mailto:wg-idassurance-bounces@kantarainitiative.org</a>] <b>On Behalf Of </b>Furr, Richard<br><b>Sent:</b> Saturday, 7 December, 2013 15:59<br><b>To:</b> Coderre, Mark; 'Scott Shorter'; 'Andrew Hughes'; 'IA WG'<br><b>Subject:</b> Re: [WG-IDAssurance] Updates to my comments<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p>&nbsp;</o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>It would certainly be worth knowing that and if so that should be included in comments.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Also,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I wonder why FICAM is pointing to the draft NASPO/ANSI ID verification standard when ISO 29003, Identity Proofing already exists and is used internationally.<br>&gt;&gt;RGW:&nbsp; Good question in principle, but who do you know is using IS29003?&nbsp; It is presently at Working Draft&nbsp;2, requires a LOT of work (600+ comments to dispose &#8211; the last editing session was not a pretty sight) and I suspect it will take another 2 yrs to achieve Final Draft stage.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Please, how are IdP/CSPs supposed to play in all these sandboxes??<br>&gt;&gt;RGW:&nbsp; They contribute through their National Bodies (the US&#8217; is INCITS/CS1) if they want to have a vote at the national level, and their NB will have a vote at the ISO JTC 1/SC 27/WG 5 level;&nbsp; they can also contribute via Kantara which has a liaison status with SC27 (and this has, I think, been reasonably well notified through the IAWG list), but liaison bodies do not get to vote during editing sessions.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p>&nbsp;</o:p></span></p><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Rich Furr<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:black'>Identity, Regulatory Affairs, Audit, and Compliance Consultant<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:black'>Verizon Enterprise Solutions<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>704-575-1680<o:p></o:p></span></p></div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p>&nbsp;</o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> <a href="mailto:wg-idassurance-bounces@kantarainitiative.org">wg-idassurance-bounces@kantarainitiative.org</a> [<a href="mailto:wg-idassurance-bounces@kantarainitiative.org">mailto:wg-idassurance-bounces@kantarainitiative.org</a>] <b>On Behalf Of </b>Coderre, Mark<br><b>Sent:</b> Friday, December 06, 2013 5:57 PM<br><b>To:</b> 'Scott Shorter'; 'Andrew Hughes'; 'IA WG'<br><b>Subject:</b> Re: [WG-IDAssurance] Updates to my comments<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p>&nbsp;</o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Arial","sans-serif";color:#1F497D'>Aren&#8217;t there a myriad of state laws that would prohibit using SSN purely for correlation?<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Arial","sans-serif";color:#1F497D'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> <a href="mailto:wg-idassurance-bounces@kantarainitiative.org">wg-idassurance-bounces@kantarainitiative.org</a> [<a href="mailto:wg-idassurance-bounces@kantarainitiative.org">mailto:wg-idassurance-bounces@kantarainitiative.org</a>] <b>On Behalf Of </b>Scott Shorter<br><b>Sent:</b> Friday, December 06, 2013 1:57 PM<br><b>To:</b> Andrew Hughes; IA WG<br><b>Subject:</b> [WG-IDAssurance] Updates to my comments<o:p></o:p></span></p><p class=MsoNormal><o:p>&nbsp;</o:p></p><div><p class=MsoNormal>Hi all,<o:p></o:p></p><div><p class=MsoNormal><o:p>&nbsp;</o:p></p></div><div><p class=MsoNormal>Updates to a few comments based on today's call. &nbsp;The &quot;IAWG let's discuss on Friday&quot; comment is now:<o:p></o:p></p></div><div><p class=MsoNormal><o:p>&nbsp;</o:p></p></div><div><blockquote style='margin-left:30.0pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt'><div><div><p class=MsoNormal>1. Clarify the distinction between identity proofing and identity resolution, the attribute verification requirements for each, and when those requirements are applicable (e.g. CSPs/RAs during enrollment, CSPs as attribute providers, RPs during account linking and problem resolution, etc.)<o:p></o:p></p></div><div><p class=MsoNormal><o:p>&nbsp;</o:p></p></div><div><p class=MsoNormal>2. RPs should be able to make a determination based on their risk assessment whether credentials based on data broker verification meets their needs. &nbsp;FICAM could provide guidance on the pros and cons, and consider providing granularity in levels of Identity Assurance reflecting the data sources against which verification was performed.<o:p></o:p></p></div></div></blockquote></div><div><p class=MsoNormal><o:p>&nbsp;</o:p></p></div><div><p class=MsoNormal>Does that more or less reflect the discussion?<o:p></o:p></p></div><div><p class=MsoNormal><o:p>&nbsp;</o:p></p></div><div><p class=MsoNormal>I didn't add this because we didn't discuss it, but what also occurred to me is:<o:p></o:p></p></div><div><p class=MsoNormal><o:p>&nbsp;</o:p></p></div><blockquote style='margin-left:30.0pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt'><div><p class=MsoNormal>3. FICAM could declare that SSN is not an acceptable &quot;valid current government ID number&quot; during remote identity proofing. &nbsp;<o:p></o:p></p></div></blockquote><div><p class=MsoNormal><o:p>&nbsp;</o:p></p></div><div><p class=MsoNormal>NIST has persistently declined to clarify this issue, although the conspicuous lack of the term &quot;picture ID&quot; in column 2 of Table 3 of SP 800-63-2 does permit it. &nbsp;Changing that would be huge, and I doubt a suggestion to do so would clear the ARB, but I offer it for the sake of completeness.<o:p></o:p></p></div><div><p class=MsoNormal>-<o:p></o:p></p></div><div><p class=MsoNormal>Scott<o:p></o:p></p></div><div><div><p class=MsoNormal>-- <br>Scott Shorter,&nbsp;Principal Security Engineer, Electrosoft Services Inc.<o:p></o:p></p><div><p class=MsoNormal><a href="mailto:sshorter@electrosoft-inc.com" target="_blank">sshorter@electrosoft-inc.com</a>&nbsp;O: 703-437-9451 x21 M: 240-994-7793<o:p></o:p></p></div></div></div></div><p class=MsoNormal>This e-mail may contain confidential or privileged information. If you think you have received this e-mail in error, please advise the sender by reply e-mail and then delete this e-mail immediately. Thank you. Aetna <o:p></o:p></p></div></body></html>