Both of you are right - 800-63-3 does have a pretty good definition of terms.

However stating that a vocabulary for expressing Levels of Assurance doesn't really exist. But mostly because (I think) it's not a valid way to describe it.

LoAs are related to requirements and implemented controls - and as such what 'makes up' an LoA can be (and is) defined. But it's not a vocabulary of terms and definitions.

Andrew Hughes CISM CISSP 
Independent Consultant
In Turn Information Management Consulting

o  +1 650.209.7542
m +1 250.888.9474
1249 Palmer Road,
Victoria, BC V8P 2H8

AndrewHughes3000@gmail.com 
ca.linkedin.com/pub/andrew-hughes/a/58/682/
Identity Management | IT Governance | Information Security 


On Wed, Apr 12, 2017 at 7:54 AM, John Moehrke <johnmoehrke@gmail.com> wrote:
Hi Sarah,

That is fantastic news... Did I properly characterize the current state? I welcome corrections if I was wrong.

John

John Moehrke
Principal Engineering Architect: Standards - Interoperability, Privacy, and Security
CyberPrivacy – Enabling authorized communications while respecting Privacy
M +1 920-564-2067
JohnMoehrke@gmail.com
https://www.linkedin.com/in/johnmoehrke
https://healthcaresecprivacy.blogspot.com
"Quis custodiet ipsos custodes?" ("Who watches the watchers?")

On Wed, Apr 12, 2017 at 9:53 AM, Sarah Squire <sarah@engageidentity.com> wrote:
I'm a co-author on the rewrite of NIST 800-63, and it does define a vocabulary. Parts A, B, and C each have a section titled "Definitions and Abbreviations".  It's not official yet, as we're still sorting through feedback from the public comment period, but you can view the document as it stands currently here:  https://pages.nist.gov/800-63-3/

Sarah Squire
Engage Identity

On Wed, Apr 12, 2017 at 7:47 AM, John Moehrke <johnmoehrke@gmail.com> wrote:
Hi,

The topic of a vocabulary for expressing LoA is very topical right now. Unfortunately NIST 800-63 doesn't define a vocabulary, life would be nice if it did. As such everyone is tempted to use the descriptions in NIST 800-63 and invent their own vocabulary values. This is not helpful to drive interoperability, but it is done out of desperation.

The sticky part is that although NIST 800-63 defines categories; they recognize that there is still operational facts that are necessary before one really understands what LoA "4" means. I think it is this that keeps NIST from declaring vocabulary. They recognize that their specification doesn't control enough space to assure that "4" means the same thing to everyone.

Thus organizations like SAFE-Biopharma (which covers a very specific part of healthcare not including actual treatment...). They have been doing identity proofing for a long time in their space. They are embracing being more open, and leveraging standards more. 

John

John Moehrke
Principal Engineering Architect: Standards - Interoperability, Privacy, and Security
CyberPrivacy – Enabling authorized communications while respecting Privacy
M +1 920-564-2067
JohnMoehrke@gmail.com
https://www.linkedin.com/in/johnmoehrke
https://healthcaresecprivacy.blogspot.com
"Quis custodiet ipsos custodes?" ("Who watches the watchers?")

On Wed, Apr 12, 2017 at 9:35 AM, Catherine Schulten <catherine.schulten@lifemedid.com> wrote:

Interesting document.  The healthcare space has two primary communities of actors: the healthcare provider and the patient.

Healthcare providers are physicians, therapists, nurses, etc.  As such they are typically licensed to practice and they are employees or credentialed by a hospital or similar organization to provide their services at certain facilities.  As such these people have established attributes such as email addresses, license numbers and federal identifiers (National Provider ID, DEA#, etc.).  They are also adults.

Patients on the other hand range in age from birth to >100 yrs. old, may or may not have an email address and certainly aren’t credentialed to be a patient nor do they have a national ID number (at least not in the U.S.)

 

The align biopharma “standard” makes sense for providers working in life sciences since that set of individuals all share those common attributes.  Notice also that the stakeholders that developed this open standard are all pharma companies.  Pardon the pun, but their standards are highly prescriptive to the set of individuals and the purpose that drives the need for identity/authentication.

 

Catherine Schulten
Direct: 954-290-1991

 

From: Chris Phillips [mailto:Chris.Phillips@canarie.ca]
Sent: Wednesday, April 12, 2017 10:19 AM
To: dg-idpro@kantarainitiative.org; Catherine Schulten <catherine.schulten@lifemedid.com>
Subject: Re: [DG-IDPro] the need to develop a common vocabulary

 

Speaking of a 'common lexicon' here's one in the biopharma space fresh off the press (I think):

 

 

I haven't clicked through the non standard T&C's clickwrap around it however.  Looks like they want to not be encumbered with restrictions on comments back?

Looks like the word 'standard' may be more opinion than fact.  Hard to tell.

 

Catherine, inferring from the lifemedid.com domain, this sounds like an area your organization may circulate in .  

 

Thoughts on how it informs things in the idPro space and the approach to common vocabulary?

 

C

 

From: <dg-idpro-bounces@kantarainitiative.org> on behalf of Catherine Schulten <catherine.schulten@lifemedid.com>
Date: Wednesday, April 12, 2017 at 10:04 AM
To: "dg-idpro@kantarainitiative.org" <dg-idpro@kantarainitiative.org>
Subject: [DG-IDPro] the need to develop a common vocabulary

 

Found this relevant paragraph in some research I was doing.  The following from a NIST workshop held in Jan 2016:

 

Develop a common lexicon. Many participants identified a lack of standardized terminology regarding identity proofing processes and functions. For example, some attendees used the term “verification” while others preferred “validation” for the same process. For the purposes of NIST’s work, attendees suggested a common vocabulary should be developed to help ensure consistency in the framework and across communities, and that the taxonomy be aligned to the best extent possible with existing schemes.

 

http://csrc.nist.gov/publications/drafts/nistir-8103/nistir_8103_draft.pdf

 

Catherine Schulten
VP of Product Management - OrangeHook, Inc. / LifeMed ID
3009 Douglas Blvd., STE 200, Roseville, CA  95661

Direct: 954-290-1991

Website| LinkedIn| Facebook| Twitter| YouTube

 

 

 

 



IMPORTANT NOTICE: This e-mail communication may contain confidential or legally privileged information and is intended to be received only by persons entitled to receive the confidential information it may contain. Please do not read, copy, forward or store this message unless you are an intended recipient of it. Any review, use, dissemination, distribution or copying of this communication by other than the intended recipient or that person's agent is strictly prohibited pursuant to the Electronic Communication Privacy Act,18 USCA 2510. If you have received this message in error, please notify the sender by forwarding it by email to the sender and then delete it completely from your computer system.


_______________________________________________
DG-IDPro mailing list
DG-IDPro@kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/dg-idpro



_______________________________________________
DG-IDPro mailing list
DG-IDPro@kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/dg-idpro




_______________________________________________
DG-IDPro mailing list
DG-IDPro@kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/dg-idpro