As an active participant in the IDSP workshop meetings that produced this report, I'd like to offer a few observations about this effort. The report really does a couple of things. First off, it points out the problems with using "identity" documents such as birth certificates, driver's licenses, and social security cards for establishing a person's identity. Second, it proposes that guidelines are needed for the verification of a person's identity with high confidence, and that those guidelines should form the basis of an ANSI standard for identity verification. Finally, it proposes that a process be developed for implementing those guidelines. Although the report points out that practical methods for identity verification are needed at varying degrees of assurance, corresponding to the four NIST/OMB assurance levels, consider that the workgroup was made up of people representing organizations such as the Department of Homeland Security, Social Security Administration, Coalition for a Secure Driver's License, and American Association of Motor Vehicle Administrators, to name a few. These are folks who really want to know a person's "true" identity with a high degree of confidence. In other words, I think it's fair to say that the focus of this effort is to develop a standardized process for verification of a person's true identity at the highest assurance levels, with lesser emphasis on identity verification at the lower assurance levels. That's not a bad thing, because if you know how to verify someone's identity with very high assurance, you can probably just be less rigorous in some parts of the process, or skip over certain parts, resulting in a lower assurance verification. Section 4 of the report gets to the heart of the matter, and describes the conceptual approach for developing the identity verification process. The process is based on collecting various items of documentation and other information about a person, possibly from more than one source, and "adjudicating" whether the collected evidence sufficiently establishes a person's identity with the desired degree of assurance. Depending upon the type of information and documentation collected, the process could iterate between collecting supporting evidence, evaluating the evidence to see if it supports a particular claim of identity, and seeking additional evidence if the assurance level is not satisfied. For high assurance identity verification, this adjudication process will likely be sufficiently rigorous such that it may be impractical and time consuming to repeat it every time a person seeks to renew a driver's license, or get a copy of a birth certificate, or do anything else in the physical world for which someone's identity must be known with high confidence. So it might make sense to do it once for a given person, then issue that person a secure and trusted credential bound to the individual in some way, and which can be used to assert the verified identity, in different circumstances, with high assurance. In the online world, a new set of identity proofing criteria based on the adjudication process *could* be substantially different than the current identity proofing criteria specified in NIST 800-63 and the Kantara Identity Assurance Framework. Or the identity proofing criteria might just consist of authenticating, in some way, a secure, trusted credential issued on the basis of the new standardized adjudication process. Could a secure and trusted credential used in the physical world consist of a smart card containing a PKI certificate, and be used in the online world as well? That would essentially eliminate the need to do a separate identity proofing for the issuance of online digital credentials. There are some interesting possibilities and implications for high assurance digital identity credentials that arise from this effort. --------------------------- Bob Pinheiro Chair, Consumer Identity WG 908-654-1939 kantara@bobpinheiro.com www.bobpinheiro.com J. Trent Adams wrote:
All -
In case you're not following the Identity Theft Prevention and Identity Management Standards Panel (IDSP) at ANSI, you might've missed this:
http://www.ansi.org/news_publications/news_story.aspx?menuid=7&articleid=2351
In the release they announce that the IDSP has produced a report calling for the development of a U.S. standard on identity verification. It looks like NASPO will pick up the ball from here.
You can download the full IDSP report here:
http://webstore.ansi.org/identitytheft/
NOTE: You need to create an ANSI account to download it... with an unusually high number of required fields.
I'll be interested to see how they incorporate other work like the IAF.
- Trent