To get a sense of how deep and tangled the discussions could go, browse through some of the issues in the github repo for the NIST 800-63-3 update project public comments. It's an example of the necessary heavy-lifting that goes on with development of this kind of material. However, it's not the approach we have been working with...
I think that if we can stay as close to the taxonomy of knowledge versus the body content, we can avoid many issues.
In the context of "what is an ID Pro expected to know", I think that as a start, they need to know:
- that certain concepts and terms exist, and some of the typical usages and contexts (entity, identity, authentication, and so on)
- that there are life cycles for different classes of things and processes to manage (identity record, authentication record, credential, authenticator, and so on)
- there's at least one information life cycle with phases that can be taken from the information management knowledge domain
- that there are technology and architecture approaches that match up with specific groups of concepts. And for those there are best practices or emerging practices.
and other things of course.
It's very tempting to have deep discussions :)