I can see that validating might be proving that the applicant has access to the AoR (I wouldn’t even say ‘control over’, and certainly not ‘exclusive control over’), but then that becomes somewhat circular. Its frankly a poor definition and I think perhaps the term should be withdrawn. That there be an address to which the applicant can be proven to have access for the purposes of communicating with the CSP ought be the pragmatic requirement, though I see that this does little to bolster any confidence in a claim of identity if there can be no sense of real association between the address and the applicant (I think the trendy term is ‘velocity’).
This is compounded by the fact that in NIST’s requirements for proofing practices, one validates the authenticity of evidence offered (T5-2) but one verifies the applicant against validated evidence (T5-3).
Roll on v4!! :-o
Richard G. WILSHER
CEO & Founder, Zygma Inc.
www.Zygma.biz
+1 714 797 9942
From: Jimmy Jung [mailto:jimmy.jung@slandala.com]
Sent: Thursday, November 9, 2023 15:15
To: IAWG
Subject: [WG-IDAssurance] Address of Record
Folks,
Under the heading of other-topics/open-discussion/items-we-may-not-get-to, I wanted to send the following regarding the address of record criteria in 63A. Below please find an inclusive extract of criteria regarding “address of record.” On several occasions, systems I have worked with have run into complications with “address of record,” and I had hoped to explore what is trying to accomplish by this criteria, as well as gain some context for reviewing the criteria as it evolves in 63 rev 4.
SP 800-63 formally defines “Address of Record” as “the validated and verified location (physical or digital) where an individual can receive communications using approved mechanisms.”
I would summarize 63 and the criteria for address of record as follows:
- You must validate the address of record with an issuing or authoritative source using information taken from the valid id evidence.
(address of record can't be self-asserted)
- 63A specifically calls out postal, mobile-phone (SMS), landline or email as potential addresses of record (with a preference for Postal)
- For Unsupervised proofing you must send an enrollment code to the confirmed address of record, which the Applicant must return. (for Supervised you may)
- If the enrollment code is also an authenticator it must be reset
- "An enrollment code allows the CSP to confirm that the applicant controls an address of record, as well as offering the applicant the ability to reestablish binding to their enrollment record."
- There are various limitations in the format, validity and attempts allowed for enrollment codes.
- The enrollment code and notification of proofing must be sent to different addresses of record.
My confusion stems from the difficulty, if not inability to validate the email or quite frankly postal as an address of record with an issuing or authoritative source. Citing my favorite examples, google will not validate a gmail address and no one “issues” a postal address.
- We identify an applicant by comparing them to the evidence and validating and verifying the evidence.
- As described by 63, we can use an enrollment code to confirm that the same applicant controls the address of record and confirm that the applicant can “receive communications” at that address.
- But given that email (not postal) is the likely preferred address for most systems and applicants, especially unsupervised systems; validating an email address with an issuing or authoritative source is very difficult.
- and I am unsure of the utility – if the applicant controls the address and we have identified the applicant, how useful is it to validate an address of record?
- Also, if supervised doesn’t use an enrollment code to confirm control, then we would be sending notifications to an unvalidated address.
- And, if validating an address of record is so difficult; isn’t it that much more difficult to have two; so that you may send the “enrollment code and notification of proofing to different addresses of record”.
(often the different addresses are the web-site/application performing the identification and an email address)
- And just for fun, can you send an enrollment code to an address of record, if an address of record isn’t an address of record until the applicant returns the enrollment code?
Thanks
Jimmy
| Jimmy Jung 703 851 6813 |
§ | (..) | Clause title | Requirement | 63A tag | index | KI_criterion | 2 | 3 | |
4.4.1.6 | 1 | Address Confirmation | Valid records to confirm address SHALL be issuing source(s) or authoritative source(s). | n/a | | | | | |
4.4.1.6 | 2 | Address Confirmation | The CSP SHALL confirm address of record. The CSP SHOULD confirm address of record through validation of the address contained on any supplied, valid piece of identity evidence. The CSP MAY confirm address of record by validating information supplied by the applicant that is not contained on any supplied piece of identity evidence. | 63A#0270 | | | The CSP SHALL validate and confirm the Applicant's address of record by relying only upon issuing source(s) or authoritative source(s). | ü | ü |
4.4.1.6 | 3 | Address Confirmation | Self-asserted address data that has not been confirmed in records SHALL NOT be used for confirmation. | 63A#0280 | | | The CSP SHALL NOT accept un-validated self-asserted addresses. | ü | ü |
4.4.1.6 | 4 | Address Confirmation | If CSP performs in-person proofing (physical or supervised remote): | 63A#0290 | | | If the CSP performs Supervised (In-person or Remote) proofing it SHALL document the maximum validities it allows for enrollment codes and only issue codes that meet that limitation, which SHALL NOT exceed 7 days. | ü | ü |
4.4.1.6 | 4 | Address Confirmation | The CSP SHOULD send a notification of proofing to a confirmed address of record. | n/a | | | | | |
4.4.1.6 | 4 | Address Confirmation | The CSP MAY provide an enrollment code directly to the subscriber if binding to an authenticator will occur at a later time. | n/a | | | | | |
4.4.1.6 | 4 | Address Confirmation | The enrollment code SHALL be valid for a maximum of 7 days. | n/a | | | See 63A#0290 | | |
4.4.1.6 | 5 | Address Confirmation | If the CSP performs remote proofing (unsupervised): | 63A#0300 | | | If the CSP performs Unsupervised proofing it SHALL: | ü | |
4.4.1.6 | 5 | Address Confirmation | The CSP SHALL send an enrollment code to a confirmed address of record for the applicant. | 63A#0300 | a) | | send an enrollment code to a confirmed address of record for the Applicant; | ü | |
4.4.1.6 | 5 | Address Confirmation | The applicant SHALL present a valid enrollment code to complete the identity proofing process. | 63A#0300 | b) | | require the Applicant to present a valid enrollment code to complete the identity proofing process; | ü | |
4.4.1.6 | 5 | Address Confirmation | The CSP SHOULD send the enrollment code to the postal address that has been validated in records. The CSP MAY send the enrollment code to a mobile telephone (SMS or voice), landline telephone, or email if it has been validated in records. | n/a | | | | | |
4.4.1.6 | 5 | Address Confirmation | If the enrollment code is also intended to be an authentication factor, it SHALL be reset upon first use. | 63A#0300 | c) | | If the enrollment code is also intended to be an authentication factor, reset the code upon first use; | ü | |
4.4.1.6 | 5 | Address Confirmation | Enrollment codes SHALL have the following maximum validities: | 63A#0300 | d) | | document the maximum validities it allows for enrollment codes and only issue codes that meet the following limitations: | ü | |
4.4.1.6 | 5 | Address Confirmation | 10 days when sent to a postal address of record within the contiguous United States; | 63A#0300 | d) | i) | 10 days, when sent to a postal address of record within the contiguous United States; | ü | |
4.4.1.6 | 5 | Address Confirmation | 30 days when sent to a postal address of record outside the contiguous United States; | 63A#0300 | d) | ii) | 30 days, when sent to a postal address of record outside the contiguous United States; | ü | |
4.4.1.6 | 5 | Address Confirmation | 10 minutes when sent to a telephone of record (SMS or voice); | 63A#0300 | d) | iii) | 10 minutes, when sent to a telephone number of record (SMS or voice); | ü | |
4.4.1.6 | 5 | Address Confirmation | 24 hours when sent to an email address of record. | 63A#0300 | d) | iv) | 24 hours, when sent to an email address of record. | ü | |
4.4.1.6 | 5 | Address Confirmation | The CSP SHALL ensure the enrollment code and notification of proofing are sent to different addresses of record. For example, if the CSP sends an enrollment code to a phone number validated in records, a proofing notification will be sent to the postal address validated in records or obtained from validated and verified evidence, such as a driver's license. | 63A#0300 | e) | | ensure that the enrollment code and notification of proofing are sent to different addresses of record. | ü | |
4.4.1.6 | Note | Address Confirmation | Postal address is the preferred method of sending any communications, including enrollment code and notifications, with the applicant. However, these guidelines support any confirmed address of record, whether physical or digital. | n/a | | | | | |
4.5.6 | 1 | Address Confirmation | The CSP SHALL confirm address of record. The CSP SHOULD confirm address of record through validation of the address contained on any supplied, valid piece of identity evidence. The CSP MAY confirm address of record by validating information supplied by the applicant, not contained on any supplied, valid piece of identity evidence. | 63A#0390 | | | The CSP SHALL confirm the Applicant's address of record using either: | | ü |
4.5.6 | | Address Confirmation | 63A#0390 | a) | | only information taken from any piece of valid identity evidence; or | | ü | |
4.5.6 | | Address Confirmation | 63A#0390 | b) | | for information values which might reasonably be amended from time-to-time, information substituted by the Applicant which SHALL be validated with the issuing source of the information. | | ü | |
4.5.6 | 3 | Address Confirmation | A notification of proofing SHALL be sent to the confirmed address of record. | 63A#0400 | | | The CSP SHALL send a notification of proofing outcome to the confirmed address of record. | | ü |
4.6 | | Enrollment Code | An enrollment code allows the CSP to confirm that the applicant controls an address of record, as well as offering the applicant the ability to reestablish binding to their enrollment record. | n/a | | | | | |
4.6 | | Enrollment Code | Binding NEED NOT be completed in the same session as the original identity proofing transaction. | n/a | | | | | |
4.6 | | Enrollment Code | An enrollment code SHALL be comprised of one of the following: | 63A#0450 | | | The CSP SHALL only issue enrollment codes that are, minimally, a random six character alphanumeric sequence or other value of equivalent entropy, represented either as: | ü | ü |
4.6 | 1 | Enrollment Code | Minimally, a random six character alphanumeric or equivalent entropy. For example, a code generated using an approved random number generator or a serial number for a physical hardware authenticator. | 63A#0450 | a) | | a human-readable text string; OR | ü | ü |
4.6 | 2 | Enrollment Code | A machine-readable optical label, such as a QR Code, that contains data of similar or higher entropy as a random six character alphanumeric. | 63A#0450 | b) | | A machine-readable optical label. | ü | ü |