[KI-LC] Kantara Support For A National Identity Verification Standard??

Rich Furr rfurr at safe-biopharma.org
Fri Jun 25 07:30:08 EDT 2010

A list of questions I have submitted to the Health ID Assurance Working Group chair for the NASPO team:

1.       Since this work would seem to affect all the organizations at many levels of government (as noted in the IDSP Report some 6400 jurisdictions issuing over 14,000 different variations of birth certificates alone), what efforts are being taken to include these agencies in the development effort.  It is highly problematic, given the lack of uptake by just the States of RealID, to consider that many of these agencies will adhere to any eventual standard if they do not actively participate.  How does the development team propose to get around the issue of uptake and acceptance?

2.       According to the IDSP report, the National Association for Public Health Statistics and Information Systems is  developing security guidelines for the development and issuance of birth certificates (among others).  Is NAPHSI S included or participating in this effort?

3.       What is the status of the proposed rule making in support of the Intelligence Reform and Terrorism Prevention Act?  What steps will be taken to ensure the results of this work do not diverge from any results of such a rule?

4.       Is this team working with NAPHSIS to converge this effort with that of the Electronic Verification of Vital Events system?

5.       Given the failure of RealID, which was cited as "too prescriptive" by the National Governors Association and other organizations and the strong objections of the civil liberties community, how would NASPO and ANSI suggest the results of this effort overcome any such issues.  Also, if acceptance of the results are purely voluntary, what steps might be taken to enhance uptake since even Federal Law in this area has largely been ignored by other non-Federal agencies?

6.       Are any Federal or State agencies participating or providing funding?

7.       According to Section 3.4 of the IDSP Report:
A core project team was formed to take the work forward under the leadership of the
North American Security Products Organization (NASPO), an ANSI accredited
standards developing organization,16 and it has proceeded under NASPO leadership
since February 2009. The core project team includes representatives of AAMVA, the
Coalition for a Secure Drive, the Colorado Division of Motor Vehicles, DHS,
the General Services Administration, NAPHSIS, and the National Institute of Standards
and Technology, among others.
            Are these agencies/organizations still participating?  If not, why not?

Rich Furr
Head Global Regulatory Affairs and Compliance
New Office:  980-236-7576
Cell: 201-220-0160

From: lc-bounces at kantarainitiative.org [mailto:lc-bounces at kantarainitiative.org] On Behalf Of Colin Wallis
Sent: Thursday, June 24, 2010 10:27 PM
To: Kantara Leadership Council Kantara; Staff list
Subject: Re: [KI-LC] Kantara Support For A National Identity Verification Standard??

Ah yes I remember these IDSP docs now.

What they may end up with is something that resembles parts of NZ Gov's<http://www.dia.govt.nz/diawebsite.nsf/wpg_url/resource-material-evidence-of-identity-standard-index> or BC Canada's<http://www.cio.gov.bc.ca/local/cio/standards/documents/standards/evidence_of_identity_standard.pdf> (borrowed from/newer/better than ours) Evidence of Identity Standards.

You add to this, a document recognition handbook (along with training of course) for agency front counter staff to detect fake or tampered-with breeder docs and you begin to have something resembling a consistent approach/process/system of identity proofing.


From: John Bradley [mailto:jbradley at mac.com]
Sent: Friday, 25 June 2010 1:43 p.m.
To: Joni Brennan
Cc: Colin Wallis; Kantara Leadership Council Kantara; Staff list
Subject: Re: [KI-LC] Kantara Support For A National Identity Verification Standard??

Looking at their call for participation they restrict the $1,000 level to only non-profit  Organizations not representing ANY industry.

I suspect they will consider Kantara a trade organization.

This seems to be a very US specific peace of work to secure Birth certificates, Drivers Licences and Social Security Cards.

This link provides some background on ANSI's findings.

This looks to be a larger project than RealID involving multiple levels of Government.
I would want to better understand how the GSA, HHS and other government organizations who would be required to implement this are participating, and if it stands any chance of getting further the RealID.

They do have a point that in large measure the breeder documents DL, SSN, and Birth Certificate we recommend in the IAF are relatively easy to acquire fraudulently.    That's why other countries have NationalID issued at birth.

I am cautious, this could be a lot of work that may not get taken up for political reasons.

I do think it would be a good idea to have appropriate guidance on breeder  documents per jurisdiction for people participating in the IAF.

John B.

On 2010-06-24, at 6:29 PM, Joni Brennan wrote:

Kantara Initiative has 501 c6 Tax Status as a Program of the IEEE-ISTO.  As such we are a non-profit organization and the exact category is classified as 'Business League'.  We of course have the documents to prove the above and have done so for various other activities.  Given that Kantara Initiative would fall in to the 1k cost to participate.  So at least there's some clarity for you there.
On Thu, Jun 24, 2010 at 3:20 PM, Colin Wallis <Colin.Wallis at dia.govt.nz<mailto:Colin.Wallis at dia.govt.nz>> wrote:
Thanks Bob

Some comments inline after further thought following the LC call.


From: Bob Pinheiro [mailto:kantara at bobpinheiro.com<mailto:kantara at bobpinheiro.com>]
Sent: Tuesday, 22 June 2010 3:54 p.m.
To: Colin Wallis
Cc: Kantara Leadership Council Kantara; Kantara Staff list
Subject: Re: [KI-LC] Kantara Support For A National Identity Verification Standard??


If I'm not mistaken, OMB0404 only addresses the four assurance levels; it's NIST 800-63 that specifies criteria for identity proofing at the various assurance levels.  But that document was strictly intended only for US government relying parties.  There has been discussion in IAWG about how to do identity proofing when different jurisdictions are involved, so I guess there really is no standard.
<<CW: Well, I think you characterize OMB0404 a little too simply, since the approach to risk is the fundamental basis that drives the subsequent identity proofing and credential issuance/usage processes, but no matter. And while you are technically correct regards NIST, I would contend that is has become a de facto standard, since so many other jurisdictions have copied it or have profiled it.  I am really pleased IAWG has had the discussion about Id proofing when different jurisdictions are involved because they are absolutely right. No pan jurisdiction federation can take place until there is sufficient trust amongst governments that their respective identity proofing processes are up to scratch. So while the eGov WG has the eGov Profile for SAML sufficiently constrained to see pan jurisdiction federation possible at the interop level technically, it may languish for some years waiting for the ID proofing process side to catch up, because id proofing becomes the weakest link in the chain.>>

I understand that the goal is to develop an ANSI standard for identity verification, but there may also be much international interest as well.  Whether that would translate into a further effort to develop some sort of international standard, I can't say.
<<CW: It certainly is a worthy goal, but international adoption/interest may be better achieved by using an international forum in which to develop it.  And let's not kid ourselves. It will be darn difficult because different jurisdictions have different breeder/authoritative documents. But with sufficient mapping, it may be possible.  So if ANSI is going to start with the US situation and US breeder docs but later move to an international stage, it needs to structure the standard such that it is flexible to include a different set of breeder docs from a different jurisdiction>>.

An organization can be a Sponsor at a cost of $25K per year (with no obligation to actually participate in the development of any standard), or can be a participating member expected to contribute to the work effort.  For that level of commitment, I don't know if NASPO would consider KI to be a non-profit at $1000 per year, or a trade association at $3000 per year.
<<CW: Not my call but KI's 501C 6 status should help>>

One of the motivations for this effort is the US government's (newly renamed) National Strategy for Trusted Identities in Cyberspace.  It's hard to see how you can have a "trusted identity" online without some standardized way to verify someone's identity in the first place.  On the other hand, I can see where someone's "identity" may mean different things to different types of relying parties, which may also imply different trust frameworks for different "trust communities."
<<CW: All true, and I agree with everything you say here>>.

<<CW: So KI is left in an interesting position.  In an ideal world, it would be better to bring the work to KI, or OASIS or ISO..where it is (more) politically neutral (you recall that this is what we said in our comments to the White House in the NSTIC).  So to support this effort in NASPO, we are actually not supporting our stated position. On the other hand, it may be perceived as churlish not to support the effort in NASPO, especially if we think the effort will succeed, and the outputs from this standard find their way into the IAF in future in some way shape or form.  In which case we are cutting off our nose despite our face by not supporting it.  Decisions decisions....>>


On 6/21/2010 6:23 PM, Colin Wallis wrote:
Thanks Bob

A couple of thoughts to start us off with..

1) Is there really no standard in the US for this?  For the NZ government's Evidence of Identity standard, we relied heavily on the US Gov's OMB M 04 04. I guess one could say that's not a standard but...

2) I can see how there is a gap, in the sense that the identity proofing process in the IAF and indeed in the proposed ISO 29115 are kind of deployment profiles of this standard, if it were manifested...

3) Given KI is a global organisation, are we comfortable that we are not creating a precedent that will be impossible to continue with, (the flip side being that there is a large US influence in the IAF and 29115 so it is a worthy exception)

4) Without trying to pre-empt or pre judge any decision, is it your sense that KI might want to participate as a non-profit at $1,000 per annum?


From: lc-bounces at kantarainitiative.org<mailto:lc-bounces at kantarainitiative.org> [mailto:lc-bounces at kantarainitiative.org] On Behalf Of Bob Pinheiro
Sent: Tuesday, 22 June 2010 9:52 a.m.
To: Kantara Leadership Council Kantara
Cc: Kantara Staff list
Subject: [KI-LC] Kantara Support For A National Identity Verification Standard??

As part of my efforts to determine whether there's any external interest in the Consumer Identity WG's project plan, I recently spoke with Tom Lockwood, who is one of the drivers of the government's National Strategy for Trusted Identities in Cyberspace, and Graham Whitehead of NASPO.  You may have seen the email and attached Call for Participation from ANSI IDSP (below), announcing that NASPO is commencing development of an American National Standard for Identity Verification.

The need for a standardized identity verification/proofing process is well known, and Tom mentioned that several people associated with Kantara (Brett, when he was ED, and Frank V. on behalf of IAWG) expressed to him that Kantara supports such an effort.  Others as well, in particular members of the financial services community, have also expressed interest.

However, the reality is that NASPO will not be able to pursue this work unless it can secure adequate funding, and also recruit enough "warm bodies" to actually participate in the effort.  Since there was some expression of interest and support by Kantara participants/members, I volunteered to find out whether this might translate into financial support, and whether anyone representing Kantara might want to participate in the actual development of the identity verification standard.

The attached Call for Participation describes the various levels of financial support that is being requested.  I'd like to propose that the question of whether Kantara can provide financial support for the development of an identity verification standard by NASPO be submitted to the Board of Trustees for their consideration.

Although I'm specifically addressing possible financial support by Kantara, NASPO would certainly be grateful for a commitment of financial support and participation by any other organization as well, including individual Kantara member organizations.

As noted below, an initial meeting of those making a commitment to this effort is planned for July 12-13 in Kansas City.  So if there is any possibility that Kantara might be able to contribute to this effort, the BoT should probably take up this matter fairly soon.



Bob Pinheiro

Chair, Consumer Identity WG


kantara at bobpinheiro.com<mailto:kantara at bobpinheiro.com>


-------- Original Message --------

ID-V Standard Kick-Off Meeting & Call for Participation


Wed, 16 Jun 2010 10:10:03 -0400


James McCabe <jmccabe at ANSI.ORG><mailto:jmccabe at ANSI.ORG>


James McCabe <jmccabe at ANSI.ORG><mailto:jmccabe at ANSI.ORG>



Dear IDSP participants,

The purpose of this eMail is to let you know that a meeting to commence development of a national identity verification standard will take place on July 12 and 13, 2010 in Kansas City. The meeting will start at 1:00pm on Monday July 12 and end on Tuesday July 13 at 4:30pm. The meeting will be held in Pavilion 3 at the :-

InterContinental Kansas City at the Plaza
401 Ward Parkway
Kansas City, MO

A block of rooms has been reserved at the hotel for the nights Sunday, July 11 through to Wednesday  July 14,  at a rate of $139.00 per night.

To make your reservation please call toll free 866 856 9717 and reference the NASPO rate (NAS), or you can book online at www.kansascityic.com<http://www.kansascityic.com/> <http://www.kansascityic.com<http://www.kansascityic.com/>> and use the code NAS.

Hotel reservations should be made on or before   June 21, 2010 after which time rooms will be released for general reservations.  More information about the hotel can be found at http//:www.kansascityic.com<http://www.kansascityic.com/>

The required fee for participation in the development of this standard is detailed in the attached "ID-V Call for Participation"document. Individuals and organizations who wish to participate in the development process and attend this first meeting, must register to participate and commit to payment of the participation fee in advance of attendance at the meeting. Opportunities to benefit from the payment of  a sponsorship fee are also detailed in the attachment.

For further information please contact :-

Ann Whitehead
NASPO Administrator
Tel: (604) 921-9196
eMail: naspo at telus.net

Best regards,

Jim McCabe
Senior Director, Consumer Relations and IDSP
American National Standards Institute
25 West 43rd Street, 4th Floor
New York, NY  10036  U.S.A.
1-212-642-8921; Fax: 1-212-840-2298
jmccabe at ansi.org<mailto:jmccabe at ansi.org>
World Standards Week 2010<http://www.ansi.org/wsweek>
September 21-24, Arlington, VA

CAUTION:  This email message and any attachments contain information that may be confidential and may be LEGALLY PRIVILEGED. If you are not the intended recipient, any use, disclosure or copying of this message or attachments is strictly prohibited. If you have received this email message in error please notify us immediately and erase all copies of the message and attachments. Thank you.

CAUTION:  This email message and any attachments contain information that may be confidential and may be LEGALLY PRIVILEGED. If you are not the intended recipient, any use, disclosure or copying of this message or attachments is strictly prohibited. If you have received this email message in error please notify us immediately and erase all copies of the message and attachments. Thank you.

LC mailing list
LC at kantarainitiative.org<mailto:LC at kantarainitiative.org>

Joni Brennan
Kantara Initiative
Managing Director
voice:+1 732-226-4223
email: joni @ ieee-isto.org<http://ieee-isto.org/>
gtalk: jonibrennan
skype: upon request

Join the conversation on the community@ list - http://kantarainitiative.org/mailman/listinfo/community

LC mailing list
LC at kantarainitiative.org<mailto:LC at kantarainitiative.org>

CAUTION:  This email message and any attachments contain information that may be confidential and may be LEGALLY PRIVILEGED. If you are not the intended recipient, any use, disclosure or copying of this message or attachments is strictly prohibited. If you have received this email message in error please notify us immediately and erase all copies of the message and attachments. Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://kantarainitiative.org/pipermail/lc/attachments/20100625/207f1e1d/attachment-0001.html 

More information about the LC mailing list