ANSI group calls for Identity Verification Standard
All - In case you're not following the Identity Theft Prevention and Identity Management Standards Panel (IDSP) at ANSI, you might've missed this: http://www.ansi.org/news_publications/news_story.aspx?menuid=7&articleid=2351 In the release they announce that the IDSP has produced a report calling for the development of a U.S. standard on identity verification. It looks like NASPO will pick up the ball from here. You can download the full IDSP report here: http://webstore.ansi.org/identitytheft/ NOTE: You need to create an ANSI account to download it... with an unusually high number of required fields. I'll be interested to see how they incorporate other work like the IAF. - Trent -- J. Trent Adams =jtrentadams Profile: http://www.mediaslate.org/jtrentadams/ LinkedIN: http://www.linkedin.com/in/jtrentadams Twitter: http://twitter.com/jtrentadams
NOTE: You need to create an ANSI account to download it... with an unusually high number of required fields.
Or one could ask a friend to forward it? Any IPR issues? R Richard G. WILSHER CEO the Zygma partnership LLC Office: +1 714 965 99 42 Mobile (USA): +1 714 797 99 42 Mobile (Eur): +44 77 68 05 41 58 RGW@Zygma.biz www.Zygma.biz -----Original Message----- From: community-bounces@kantarainitiative.org [mailto:community-bounces@kantarainitiative.org] On Behalf Of J. Trent Adams Sent: 29 October 2009 21:22 To: community@kantarainitiative.org Subject: [Kantara - Community] ANSI group calls for Identity VerificationStandard All - In case you're not following the Identity Theft Prevention and Identity Management Standards Panel (IDSP) at ANSI, you might've missed this: http://www.ansi.org/news_publications/news_story.aspx?menuid=7&articleid=235 1
Jim McCabe of ANSI explained yesterday that ANSI wants to be able to record who downloads the document. -----Original Message----- From: community-bounces@kantarainitiative.org [mailto:community-bounces@kantarainitiative.org] On Behalf Of Richard G. WILSHER (Zygma) Sent: Thursday, October 29, 2009 6:08 PM To: community@kantarainitiative.org Subject: Re: [Kantara - Community] ANSI group calls for Identity VerificationStandard
NOTE: You need to create an ANSI account to download it... with an unusually high number of required fields.
Or one could ask a friend to forward it? Any IPR issues? R Richard G. WILSHER CEO the Zygma partnership LLC Office: +1 714 965 99 42 Mobile (USA): +1 714 797 99 42 Mobile (Eur): +44 77 68 05 41 58 RGW@Zygma.biz www.Zygma.biz -----Original Message----- From: community-bounces@kantarainitiative.org [mailto:community-bounces@kantarainitiative.org] On Behalf Of J. Trent Adams Sent: 29 October 2009 21:22 To: community@kantarainitiative.org Subject: [Kantara - Community] ANSI group calls for Identity VerificationStandard All - In case you're not following the Identity Theft Prevention and Identity Management Standards Panel (IDSP) at ANSI, you might've missed this: http://www.ansi.org/news_publications/news_story.aspx?menuid=7&articleid=235 1 _______________________________________________ Community mailing list Community@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/community
This from Brett McDowell may help to provide at least part of the answer. http://kantarainitiative.org/wordpress/2009/10/ansi-identity-verification-st andards-good-fit-with-identity-assurance-framework/ Dan Combs -----Original Message----- From: community-bounces@kantarainitiative.org [mailto:community-bounces@kantarainitiative.org] On Behalf Of J. Trent Adams Sent: Thursday, October 29, 2009 5:22 PM To: community@kantarainitiative.org Subject: [Kantara - Community] ANSI group calls for Identity Verification Standard All - In case you're not following the Identity Theft Prevention and Identity Management Standards Panel (IDSP) at ANSI, you might've missed this: http://www.ansi.org/news_publications/news_story.aspx?menuid=7&articleid=235 1 In the release they announce that the IDSP has produced a report calling for the development of a U.S. standard on identity verification. It looks like NASPO will pick up the ball from here. You can download the full IDSP report here: http://webstore.ansi.org/identitytheft/ NOTE: You need to create an ANSI account to download it... with an unusually high number of required fields. I'll be interested to see how they incorporate other work like the IAF. - Trent -- J. Trent Adams =jtrentadams Profile: http://www.mediaslate.org/jtrentadams/ LinkedIN: http://www.linkedin.com/in/jtrentadams Twitter: http://twitter.com/jtrentadams _______________________________________________ Community mailing list Community@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/community
As an active participant in the IDSP workshop meetings that produced this report, I'd like to offer a few observations about this effort. The report really does a couple of things. First off, it points out the problems with using "identity" documents such as birth certificates, driver's licenses, and social security cards for establishing a person's identity. Second, it proposes that guidelines are needed for the verification of a person's identity with high confidence, and that those guidelines should form the basis of an ANSI standard for identity verification. Finally, it proposes that a process be developed for implementing those guidelines. Although the report points out that practical methods for identity verification are needed at varying degrees of assurance, corresponding to the four NIST/OMB assurance levels, consider that the workgroup was made up of people representing organizations such as the Department of Homeland Security, Social Security Administration, Coalition for a Secure Driver's License, and American Association of Motor Vehicle Administrators, to name a few. These are folks who really want to know a person's "true" identity with a high degree of confidence. In other words, I think it's fair to say that the focus of this effort is to develop a standardized process for verification of a person's true identity at the highest assurance levels, with lesser emphasis on identity verification at the lower assurance levels. That's not a bad thing, because if you know how to verify someone's identity with very high assurance, you can probably just be less rigorous in some parts of the process, or skip over certain parts, resulting in a lower assurance verification. Section 4 of the report gets to the heart of the matter, and describes the conceptual approach for developing the identity verification process. The process is based on collecting various items of documentation and other information about a person, possibly from more than one source, and "adjudicating" whether the collected evidence sufficiently establishes a person's identity with the desired degree of assurance. Depending upon the type of information and documentation collected, the process could iterate between collecting supporting evidence, evaluating the evidence to see if it supports a particular claim of identity, and seeking additional evidence if the assurance level is not satisfied. For high assurance identity verification, this adjudication process will likely be sufficiently rigorous such that it may be impractical and time consuming to repeat it every time a person seeks to renew a driver's license, or get a copy of a birth certificate, or do anything else in the physical world for which someone's identity must be known with high confidence. So it might make sense to do it once for a given person, then issue that person a secure and trusted credential bound to the individual in some way, and which can be used to assert the verified identity, in different circumstances, with high assurance. In the online world, a new set of identity proofing criteria based on the adjudication process *could* be substantially different than the current identity proofing criteria specified in NIST 800-63 and the Kantara Identity Assurance Framework. Or the identity proofing criteria might just consist of authenticating, in some way, a secure, trusted credential issued on the basis of the new standardized adjudication process. Could a secure and trusted credential used in the physical world consist of a smart card containing a PKI certificate, and be used in the online world as well? That would essentially eliminate the need to do a separate identity proofing for the issuance of online digital credentials. There are some interesting possibilities and implications for high assurance digital identity credentials that arise from this effort. --------------------------- Bob Pinheiro Chair, Consumer Identity WG 908-654-1939 kantara@bobpinheiro.com www.bobpinheiro.com J. Trent Adams wrote:
All -
In case you're not following the Identity Theft Prevention and Identity Management Standards Panel (IDSP) at ANSI, you might've missed this:
http://www.ansi.org/news_publications/news_story.aspx?menuid=7&articleid=2351
In the release they announce that the IDSP has produced a report calling for the development of a U.S. standard on identity verification. It looks like NASPO will pick up the ball from here.
You can download the full IDSP report here:
http://webstore.ansi.org/identitytheft/
NOTE: You need to create an ANSI account to download it... with an unusually high number of required fields.
I'll be interested to see how they incorporate other work like the IAF.
- Trent
participants (4)
-
Bob Pinheiro -
Dan Combs -
J. Trent Adams -
Richard G. WILSHER (Zygma)