Andrew / All,Does the addition of the "Credible Source" in 800-63-4 reduce the burden when validating identity evidence?The allowance of 1 STRONG / 1 FAIR certainly seems to reduce the scale of the problem since there's only 2 pieces to validate.Scott Jones
Group Product Manager
85 10th Avenue, 9th Floor | New York, NY 10011
On Fri, Jun 28, 2024 at 11:35 AM Andrew Hughes <andrewhughes3000@gmail.com> wrote:_______________________________________________Thanks for this Jimmy - it's the long-standing major flaw in the 800-63-3 'collections of evidence' - everyone knows about it, but nobody has been able to convince the NIST maintainers that they should fix the problem. I and others been muttering, complaining, pointing out, commenting about invalid requirements like this forever.There is no way to resolve this issue within the current documentary-evidence structure of 800-63. The underlying assumption that "proofing organizations" have total access to data sources and 100% effective physical credential validation machinery is and has been wrong for many years.Similarly, the fact that commercial vendors who are not doing business with US Federal or State governments see 800-63 as somehow valid in non-government scenarios is quite astonishing. At least with the Kantara SAC we have taken efforts to modify/strip out most (hopefully all) of the government dependencies that make no sense in B2B scenarios.As assessors, I would be very interested to hear about your actual experience with actual assessments. Just like the 'components' argument, where I was surprised by your recounting what happens in the field (I should not have been surprised, but I was) - I'd like to hear how companies have worked around the tight restrictions and convinced their assessors too. Just in case I have to change my understanding in this situation as well.andrew.On Fri, Jun 28, 2024 at 7:27 AM Jimmy Jung <jimmy.jung@slandala.com> wrote:_______________________________________________Here is a fun bit of nonsense.
I gave NIST’s notional strength of evidence page to a client to help them expand on their approaches to IAL2, thinking that the notional strength of evidence page, which we have adopted; identifies and classifies many additional options for identity evidence. But as we dug in, things got murky. https://pages.nist.gov/800-63-3-Implementation-Resources/63A/resolution/
SP 800-63 and Kantara require that “The CSP SHALL validate identity evidence with a process that can achieve the same strength as the evidence presented. For example, if two forms of STRONG identity evidence are presented, each piece of evidence will be validated at a strength of STRONG.(63 4.4.1.3; see also 63A#0200)” This is compared with verification which is only compared to the strongest piece of identity evidence. (63 5.3.1))
And, validating evidence at STRONG requires having “all personal details and evidence details confirmed as valid by comparison with information held or published by the issuing source or authoritative source(s).”
Thank god for AAMVA, but out of curiosity, what issuing, authoritative, or even credible source would validate a Permanent Resident Card, Native American Enhanced Tribal Card, “Enhanced ID cards,” U.S. Military ID, Permanent Resident Card or Native American Tribal Photo Identification Cards? Calling them SUPERIOR or STRONG isn’t really meaningful, if they cannot be validated that way.
There are some cool implementations that can read a passport and verify digital signatures, but for PIV, CAC, PIV-I (and TWIC?) you are going to need a card reader, so that mostly leaves out unsupervised. I think validating a digital signature is a fairly strong validation, even if it does not really COMPARE information with an issuing or authoritative source?
Things really seemed odd to me, when we came to the conclusion that you would have to consider a US Navy CAC card a “FAIR” piece of evidence, because the DoD doesn’t validate CAC cards.
For an unsupervised proofing, and working from NIST’s notional strength of evidence page, which TWO items can you compare with information held by an issuing or authoritative source?
US Passport
SUPERIOR
Foreign e-Passport
SUPERIOR
Personal Identity Verification (PIV) card
SUPERIOR
Common Access card (CAC)
SUPERIOR
Personal Identity Verification Interoperable (PIV-I) card
SUPERIOR
Transportation Worker Identification Credential (TWIC)
SUPERIOR
Permanent Resident Card
SUPERIOR
Native American Enhanced Tribal Card
SUPERIOR
REAL ID cards
STRONG+
Enhanced ID cards
STRONG+
U.S. Uniformed Services Privilege and Identification Card (U.S. Military ID)
STRONG+
Permanent Resident Card
STRONG
Native American Tribal Photo Identification Card
STRONG
Driver’s License or ID card (REAL ID non-compliant)
STRONG
Jimmy
A Community Group mailing list of KantaraInitiative.org
WG-IDAssurance mailing list -- wg-idassurance@kantarainitiative.org
To unsubscribe send an email to staff@kantarainitiative.org
List archives -- https://mailman.kantarainitiative.org/hyperkitty/list/wg-idassurance@kantarainitiative.org/
______
Group wiki -- https://kantara.atlassian.net/wiki/spaces/WG-IDAssurance
Warning
Email sent from outside of CLEAR. Please be mindful of clicking on links and opening any attachments that may be included with this email.
A Community Group mailing list of KantaraInitiative.org
WG-IDAssurance mailing list -- wg-idassurance@kantarainitiative.org
To unsubscribe send an email to staff@kantarainitiative.org
List archives -- https://url.us.m.mimecastprotect.com/s/9RJ1CBBXWGtnLAgBszW1vN
______
Group wiki -- https://kantara.atlassian.net/wiki/spaces/WG-IDAssurance