[WG-IDAssurance] Updates to my comments
richard.furr at verizon.com
Sat Dec 7 09:59:17 CST 2013
It would certainly be worth knowing that and if so that should be included in comments.
I wonder why FICAM is pointing to the draft NASPO/ANSI ID verification standard when ISO 29003, Identity Proofing already exists and is used internationally. Please, how are IdP/CSPs supposed to play in all these sandboxes??
Identity, Regulatory Affairs, Audit, and Compliance Consultant
Verizon Enterprise Solutions
From: wg-idassurance-bounces at kantarainitiative.org [mailto:wg-idassurance-bounces at kantarainitiative.org] On Behalf Of Coderre, Mark
Sent: Friday, December 06, 2013 5:57 PM
To: 'Scott Shorter'; 'Andrew Hughes'; 'IA WG'
Subject: Re: [WG-IDAssurance] Updates to my comments
Aren't there a myriad of state laws that would prohibit using SSN purely for correlation?
From: wg-idassurance-bounces at kantarainitiative.org<mailto:wg-idassurance-bounces at kantarainitiative.org> [mailto:wg-idassurance-bounces at kantarainitiative.org] On Behalf Of Scott Shorter
Sent: Friday, December 06, 2013 1:57 PM
To: Andrew Hughes; IA WG
Subject: [WG-IDAssurance] Updates to my comments
Updates to a few comments based on today's call. The "IAWG let's discuss on Friday" comment is now:
1. Clarify the distinction between identity proofing and identity resolution, the attribute verification requirements for each, and when those requirements are applicable (e.g. CSPs/RAs during enrollment, CSPs as attribute providers, RPs during account linking and problem resolution, etc.)
2. RPs should be able to make a determination based on their risk assessment whether credentials based on data broker verification meets their needs. FICAM could provide guidance on the pros and cons, and consider providing granularity in levels of Identity Assurance reflecting the data sources against which verification was performed.
Does that more or less reflect the discussion?
I didn't add this because we didn't discuss it, but what also occurred to me is:
3. FICAM could declare that SSN is not an acceptable "valid current government ID number" during remote identity proofing.
NIST has persistently declined to clarify this issue, although the conspicuous lack of the term "picture ID" in column 2 of Table 3 of SP 800-63-2 does permit it. Changing that would be huge, and I doubt a suggestion to do so would clear the ARB, but I offer it for the sake of completeness.
Scott Shorter, Principal Security Engineer, Electrosoft Services Inc.
sshorter at electrosoft-inc.com<mailto:sshorter at electrosoft-inc.com> O: 703-437-9451 x21 M: 240-994-7793
This e-mail may contain confidential or privileged information. If you think you have received this e-mail in error, please advise the sender by reply e-mail and then delete this e-mail immediately. Thank you. Aetna
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the WG-IDAssurance