[WG-IDAssurance] Updates to my comments

Colin Wallis colin_wallis at hotmail.com
Sun Dec 8 02:47:33 CST 2013

Sloooow down there, Rich.29003 is only at 3rd Working Draft and has a long way to go before prime time, maybe 2016 before it is an IS. 29115 Entity Authentication Assurance Framework, and its close cousin from ITU-T, x.1254 is the basis which motivated the development of 29003.
But sure, it would be helpful if all TF's worked with a common one. Doubting that they all will ever be on the same page at the same time, Kantara is in a tricky situation to support the needs of its RPs. As an international org, using an international standard would seem to be obvious. But serving the needs in an RP's particular jurisdiction, say the US with FICAM, may mean keeping aligned with both an IS and US standards. I think an RP will have to judge each case/context on its merits, to know which sandbox or combination of sandboxes it needs to play in.. :-).

From: richard.furr at verizon.com
To: CoderreM at aetna.com; sshorter at electrosoft-inc.com; andrewhughes3000 at gmail.com; wg-idassurance at kantarainitiative.org
Date: Sat, 7 Dec 2013 10:59:17 -0500
Subject: Re: [WG-IDAssurance] Updates to my comments

It would certainly be worth knowing that and if so that should be included in comments. Also, I wonder why FICAM is pointing to the draft NASPO/ANSI ID verification standard when ISO 29003, Identity Proofing already exists and is used internationally.  Please, how are IdP/CSPs supposed to play in all these sandboxes?? Rich FurrIdentity, Regulatory Affairs, Audit, and Compliance ConsultantVerizon Enterprise Solutions704-575-1680 From: wg-idassurance-bounces at kantarainitiative.org [mailto:wg-idassurance-bounces at kantarainitiative.org] On Behalf Of Coderre, Mark
Sent: Friday, December 06, 2013 5:57 PM
To: 'Scott Shorter'; 'Andrew Hughes'; 'IA WG'
Subject: Re: [WG-IDAssurance] Updates to my comments Aren’t there a myriad of state laws that would prohibit using SSN purely for correlation? From: wg-idassurance-bounces at kantarainitiative.org [mailto:wg-idassurance-bounces at kantarainitiative.org] On Behalf Of Scott Shorter
Sent: Friday, December 06, 2013 1:57 PM
To: Andrew Hughes; IA WG
Subject: [WG-IDAssurance] Updates to my comments Hi all, Updates to a few comments based on today's call.  The "IAWG let's discuss on Friday" comment is now: 1. Clarify the distinction between identity proofing and identity resolution, the attribute verification requirements for each, and when those requirements are applicable (e.g. CSPs/RAs during enrollment, CSPs as attribute providers, RPs during account linking and problem resolution, etc.) 2. RPs should be able to make a determination based on their risk assessment whether credentials based on data broker verification meets their needs.  FICAM could provide guidance on the pros and cons, and consider providing granularity in levels of Identity Assurance reflecting the data sources against which verification was performed. Does that more or less reflect the discussion? I didn't add this because we didn't discuss it, but what also occurred to me is: 3. FICAM could declare that SSN is not an acceptable "valid current government ID number" during remote identity proofing.   NIST has persistently declined to clarify this issue, although the conspicuous lack of the term "picture ID" in column 2 of Table 3 of SP 800-63-2 does permit it.  Changing that would be huge, and I doubt a suggestion to do so would clear the ARB, but I offer it for the sake of completeness.-Scott-- 
Scott Shorter, Principal Security Engineer, Electrosoft Services Inc.sshorter at electrosoft-inc.com O: 703-437-9451 x21 M: 240-994-7793This e-mail may contain confidential or privileged information. If you think you have received this e-mail in error, please advise the sender by reply e-mail and then delete this e-mail immediately. Thank you. Aetna 
WG-IDAssurance mailing list
WG-IDAssurance at kantarainitiative.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kantarainitiative.org/pipermail/wg-idassurance/attachments/20131208/5c1b86a9/attachment.html>

More information about the WG-IDAssurance mailing list